security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
cbac37db59b7c5cc8a7055d2d1beff7c53c4ffcb
sigma-rules/rules/cross-platform/guided_onboarding_sample_rule.toml
T
Jonhnathan a08cbc7390 [Rule Tuning] Guided Onboarding Rule (#3502) 
* [Rule Tuning] Guided Onboarding Rule

* Update guided_onboarding_sample_rule.toml

* Revert "Update guided_onboarding_sample_rule.toml"

This reverts commit 18721277df7416534440a4708fa3b060f2775a27.

* Update guided_onboarding_sample_rule.toml

* Update guided_onboarding_sample_rule.toml

---------

Co-authored-by: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>

(cherry picked from commit c610e19114)
2024-03-14 14:04:49 +00:00

51 lines
1.3 KiB
TOML
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
[metadata]
creation_date = "2022/09/22"
maturity = "production"
min_stack_comments = "Guided Onboarding will be available in Elastic 8.6+"
min_stack_version = "8.7.0"
updated_date = "2024/03/14"
[rule]
author = ["Elastic"]
description = """
This rule helps you test and practice using alerts with Elastic Security as you get set up. Its not a sign of threat
activity.
"""
enabled = false
false_positives = [
"This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.",
]
from = "now-30m"
index = ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"]
interval = "24h"
language = "kuery"
license = "Elastic License v2"
max_signals = 1
name = "My First Rule"
note = """This is a test alert.
This alert does not show threat activity. Elastic created this alert to help you understand how alerts work.
For normal rules, the Investigation Guide will help analysts investigate alerts.
This alert will show once every 24 hours for each host. It is safe to disable this rule.
"""
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"]
risk_score = 21
rule_id = "a198fbbd-9413-45ec-a269-47ae4ccf59ce"
severity = "low"
tags = ["Use Case: Guided Onboarding"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.kind:event
'''
[rule.threshold]
field = ["host.name"]
value = 1
Reference in New Issue View Git Blame Copy Permalink