forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathguided_onboarding_sample_rule.toml
61 lines (52 loc) · 1.54 KB
/
guided_onboarding_sample_rule.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
[metadata]
creation_date = "2022/09/22"
maturity = "development"
updated_date = "2022/12/21"
min_stack_comments = "Guided Onboarding will be available in Elastic 8.6+"
min_stack_version = "8.6.0"
[rule]
author = ["Elastic"]
description = """
This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat
activity.
"""
enabled = false
false_positives = [
"This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.",
]
from = "now-24h"
index = [
"apm-*-transaction*",
"auditbeat-*",
"endgame-*",
"filebeat-*",
"logs-*",
"packetbeat-*",
"traces-apm*",
"winlogbeat-*",
"-*elastic-cloud-logs-*",
]
interval = "24h"
language = "kuery"
license = "Elastic License v2"
max_signals = 1
name = "My First Rule"
note = """
This is a test alert.
This alert does not show threat activity. Elastic created this alert to help you understand how alerts work.
For normal rules, the Investigation Guide will help analysts investigate alerts.
This alert will show once every 24 hours for each host. It is safe to disable this rule.
"""
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"]
risk_score = 21
rule_id = "a198fbbd-9413-45ec-a269-47ae4ccf59ce"
severity = "low"
tags = ["Elastic", "Example", "Guided Onboarding", "Network", "APM", "Windows", "Elastic Endgame"]
timestamp_override = "event.ingested"
type = "threshold"
query = '''
event.kind:"event"
'''
[rule.threshold]
field = ["host.name"]
value = 1