sigma-rules/rules/promotions/external_alerts.toml

[metadata]
creation_date = "2020/07/08"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
promotion = true

[rule]
author = ["Elastic"]
description = """
Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to
immediately begin investigating external alerts in the app.
"""
index = ["apm-*-transaction*", "traces-apm*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "External Alerts"
risk_score = 47
rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa"
rule_name_override = "message"
severity = "medium"
tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)
'''


[[rule.risk_score_mapping]]
field = "event.risk_score"
operator = "equals"
value = ""

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
value = "21"
severity = "low"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
value = "47"
severity = "medium"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
value = "73"
severity = "high"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
value = "99"
severity = "critical"