Skip to content

Commit

Permalink
[FR] Add max_signal note, unit test, and rule tuning (#3669)
Browse files Browse the repository at this point in the history
(cherry picked from commit f07a9e6)
  • Loading branch information
Mikaayenson authored and github-actions[bot] committed May 14, 2024
1 parent a4b3820 commit ca8af12
Show file tree
Hide file tree
Showing 19 changed files with 206 additions and 19 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["cloud_defend"]
maturity = "production"
min_stack_comments = "Initial version of the Container Workload Protection alerts"
min_stack_version = "8.8.0"
updated_date = "2023/06/22"
updated_date = "2024/05/13"

[rule]
author = ["Elastic"]
Expand All @@ -22,6 +22,15 @@ name = "Container Workload Protection"
risk_score = 47
rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512"
rule_name_override = "message"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "medium"
tags = ["Data Source: Elastic Defend for Containers", "Domain: Container"]
timestamp_override = "event.ingested"
Expand Down
11 changes: 10 additions & 1 deletion rules/integrations/endpoint/elastic_endpoint_security.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,7 @@ integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/06/22"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -23,6 +23,15 @@ name = "Endpoint Security"
risk_score = 47
rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
rule_name_override = "message"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "medium"
tags = ["Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -21,6 +21,15 @@ max_signals = 10000
name = "Credential Dumping - Detected - Elastic Endgame"
risk_score = 73
rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "high"
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"]
type = "query"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -21,6 +21,15 @@ max_signals = 10000
name = "Credential Dumping - Prevented - Elastic Endgame"
risk_score = 47
rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "medium"
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"]
type = "query"
Expand Down
11 changes: 10 additions & 1 deletion rules/promotions/endgame_adversary_behavior_detected.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -21,6 +21,15 @@ max_signals = 10000
name = "Adversary Behavior - Detected - Elastic Endgame"
risk_score = 47
rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "medium"
tags = ["Data Source: Elastic Endgame"]
type = "query"
Expand Down
11 changes: 10 additions & 1 deletion rules/promotions/endgame_malware_detected.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -21,6 +21,15 @@ max_signals = 10000
name = "Malware - Detected - Elastic Endgame"
risk_score = 99
rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "critical"
tags = ["Data Source: Elastic Endgame"]
type = "query"
Expand Down
11 changes: 10 additions & 1 deletion rules/promotions/endgame_malware_prevented.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -21,6 +21,15 @@ max_signals = 10000
name = "Malware - Prevented - Elastic Endgame"
risk_score = 73
rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "high"
tags = ["Data Source: Elastic Endgame"]
type = "query"
Expand Down
11 changes: 10 additions & 1 deletion rules/promotions/endgame_ransomware_detected.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -21,6 +21,15 @@ max_signals = 10000
name = "Ransomware - Detected - Elastic Endgame"
risk_score = 99
rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "critical"
tags = ["Data Source: Elastic Endgame"]
type = "query"
Expand Down
11 changes: 10 additions & 1 deletion rules/promotions/endgame_ransomware_prevented.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -21,6 +21,15 @@ max_signals = 10000
name = "Ransomware - Prevented - Elastic Endgame"
risk_score = 73
rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "high"
tags = ["Data Source: Elastic Endgame"]
type = "query"
Expand Down
11 changes: 10 additions & 1 deletion rules/promotions/execution_endgame_exploit_detected.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -21,6 +21,15 @@ max_signals = 10000
name = "Exploit - Detected - Elastic Endgame"
risk_score = 73
rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "high"
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"]
type = "query"
Expand Down
11 changes: 10 additions & 1 deletion rules/promotions/execution_endgame_exploit_prevented.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -21,6 +21,15 @@ max_signals = 10000
name = "Exploit - Prevented - Elastic Endgame"
risk_score = 47
rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "medium"
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"]
type = "query"
Expand Down
11 changes: 10 additions & 1 deletion rules/promotions/external_alerts.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/07/08"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -20,6 +20,15 @@ name = "External Alerts"
risk_score = 47
rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa"
rule_name_override = "message"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "medium"
tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"]
timestamp_override = "event.ingested"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/02/18"
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2024/01/17"
updated_date = "2024/05/13"
promotion = true

[rule]
Expand All @@ -21,6 +21,15 @@ max_signals = 10000
name = "Credential Manipulation - Detected - Elastic Endgame"
risk_score = 73
rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f"
setup = """## Setup
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
severity = "high"
tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"]
type = "query"
Expand Down
Loading

0 comments on commit ca8af12

Please sign in to comment.