Terrance DeJesus
dad008ea34
* rule tuning Okta and AWS lookback times * adjusted Query Registry using Built-in Tools * adjusted My First Rule * Update rules/cross-platform/guided_onboarding_sample_rule.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> * Update rules/integrations/okta/lateral_movement_multiple_sessions_for_single_user.toml Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com> --------- Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
49 lines
1.2 KiB
TOML
49 lines
1.2 KiB
TOML
[metadata]
|
||
creation_date = "2022/09/22"
|
||
maturity = "production"
|
||
updated_date = "2024/12/19"
|
||
|
||
[rule]
|
||
author = ["Elastic"]
|
||
description = """
|
||
This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat
|
||
activity.
|
||
"""
|
||
enabled = false
|
||
false_positives = [
|
||
"This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.",
|
||
]
|
||
from = "now-35m"
|
||
index = ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"]
|
||
interval = "30m"
|
||
language = "kuery"
|
||
license = "Elastic License v2"
|
||
max_signals = 1
|
||
name = "My First Rule"
|
||
note = """This is a test alert.
|
||
|
||
This alert does not show threat activity. Elastic created this alert to help you understand how alerts work.
|
||
|
||
For normal rules, the Investigation Guide will help analysts investigate alerts.
|
||
|
||
This alert will show once every 24 hours for each host. It is safe to disable this rule.
|
||
"""
|
||
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"]
|
||
risk_score = 21
|
||
rule_id = "a198fbbd-9413-45ec-a269-47ae4ccf59ce"
|
||
severity = "low"
|
||
tags = ["Use Case: Guided Onboarding"]
|
||
timestamp_override = "event.ingested"
|
||
type = "threshold"
|
||
|
||
query = '''
|
||
event.kind:event
|
||
'''
|
||
|
||
|
||
|
||
[rule.threshold]
|
||
field = ["host.name"]
|
||
value = 1
|
||
|