[metadata]
creation_date = "2020/07/08"
maturity = "production"
updated_date = "2021/09/03"

[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to
immediately begin investigating your Endpoint alerts.
"""
enabled = true
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Endpoint Security"
risk_score = 47
rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
rule_name_override = "message"
severity = "medium"
tags = ["Elastic", "Endpoint Security"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.kind:alert and event.module:(endpoint and not endgame)
'''


[[rule.exceptions_list]]
id = "endpoint_list"
list_id = "endpoint_list"
namespace_type = "agnostic"
type = "endpoint"

[[rule.risk_score_mapping]]
field = "event.risk_score"
operator = "equals"
value = ""

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
value = "21"
severity = "low"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
value = "47"
severity = "medium"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
value = "73"
severity = "high"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
value = "99"
severity = "critical"