Jonhnathan
b4c84e8a40
* Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
33 lines
956 B
TOML
33 lines
956 B
TOML
[metadata]
|
|
creation_date = "2023/04/05"
|
|
integration = ["cloud_defend"]
|
|
maturity = "production"
|
|
min_stack_comments = "Initial version of the Container Workload Protection alerts"
|
|
min_stack_version = "8.8.0"
|
|
updated_date = "2023/06/22"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Generates a detection alert each time a 'Container Workload Protection' alert is received. Enabling this rule allows you to
|
|
immediately begin triaging and investigating these alerts.
|
|
"""
|
|
enabled = true
|
|
from = "now-10m"
|
|
index = ["logs-cloud_defend.alerts-*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
max_signals = 10000
|
|
name = "Container Workload Protection"
|
|
risk_score = 47
|
|
rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512"
|
|
rule_name_override = "message"
|
|
severity = "medium"
|
|
tags = ["Data Source: Elastic Defend for Containers", "Domain: Container"]
|
|
timestamp_override = "event.ingested"
|
|
type = "query"
|
|
|
|
query = '''
|
|
event.kind:alert and event.module:cloud_defend
|
|
'''
|