security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
724e34ba95ffb48d13e18a91c547800986164572
sigma-rules/rules/cross-platform/guided_onboarding_sample_rule.toml
T
eric-forte-elastic aaa4ce2ea0 [BUG] test_all_rule_queries_optimized does not run on rules (#2823) 
* Fixed kql -> kuery in test_all_rule_queries_opt...

* all queries optimized

* manually reconciled all rules that failed due to toml escaped chars

* merge rules from main

* Rules needing optimization

* Fix optimized note

* fix another note

* another note fix

* fixing whitespace

* Updated for readability

---------

Co-authored-by: terrancedejesus <terrance.dejesus@elastic.co>
Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
2023-06-23 10:58:31 -04:00

61 lines
1.5 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2022/09/22"
maturity = "production"
min_stack_comments = "Guided Onboarding will be available in Elastic 8.6+"
min_stack_version = "8.7.0"
updated_date = "2023/06/22"
[rule]
author = ["Elastic"]
description = """
This rule helps you test and practice using alerts with Elastic Security as you get set up. Its not a sign of threat
activity.
"""
enabled = false
false_positives = [
"This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.",
]
from = "now-24h"
index = [
"apm-*-transaction*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"traces-apm*",
"winlogbeat-*",
"-*elastic-cloud-logs-*",
]
interval = "24h"
language = "kuery"
license = "Elastic License v2"
max_signals = 1
name = "My First Rule"
note = """This is a test alert.
This alert does not show threat activity. Elastic created this alert to help you understand how alerts work.
For normal rules, the Investigation Guide will help analysts investigate alerts.
This alert will show once every 24 hours for each host. It is safe to disable this rule.
"""
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"]
risk_score = 21
rule_id = "a198fbbd-9413-45ec-a269-47ae4ccf59ce"
severity = "low"
tags = ["Use Case: Guided Onboarding", "Data Source: APM", "OS: Windows", "Data Source: Elastic Endgame"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.kind:event
'''
[rule.threshold]
field = ["host.name"]
value = 1
Reference in New Issue View Git Blame Copy Permalink