My First Rule

This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2022/09/22"
 3maturity = "production"
 4updated_date = "2025/01/15"
 5
 6[rule]
 7author = ["Elastic"]
 8description = """
 9This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat
10activity.
11"""
12enabled = false
13false_positives = [
14    "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts.",
15]
16from = "now-35m"
17index = ["auditbeat-*", "filebeat-*", "logs-*", "winlogbeat-*"]
18interval = "30m"
19language = "kuery"
20license = "Elastic License v2"
21max_signals = 1
22name = "My First Rule"
23note = """## Triage and analysis
24
25> **Disclaimer**:
26> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
27
28### Investigating My First Rule
29Elastic Security leverages event data to monitor and alert on potential security incidents. The "My First Rule" is a foundational rule designed for onboarding, focusing on event data without indicating a specific threat. Adversaries might exploit event logging to obscure their tracks or trigger false alerts. This rule helps analysts familiarize themselves with event-based alerts, ensuring they can identify and respond to genuine threats effectively.
30
31### Possible investigation steps
32
33- Review the event data associated with the alert to understand the context and source of the event.kind:event.
34- Check the timestamp of the event to determine when the activity occurred and correlate it with other events around the same time.
35- Identify the host or user associated with the event to assess if there is any unusual or unauthorized activity.
36- Examine related logs or events from the same source to identify any patterns or anomalies that could indicate suspicious behavior.
37- Consult with team members or use internal resources to determine if the event is part of normal operations or if it requires further investigation.
38
39### False positive analysis
40
41- Routine system events can trigger alerts, as the rule monitors all event data without filtering for specific threats.
42- Identify and document common non-threatening events that frequently trigger alerts, such as regular system updates or scheduled tasks.
43- Use exceptions to exclude these documented non-threatening events from triggering alerts, reducing noise and focusing on genuine threats.
44- Regularly review and update the list of exceptions to ensure it remains relevant and does not inadvertently exclude new potential threats.
45- Collaborate with IT and operations teams to understand normal event patterns and adjust the rule's exceptions accordingly.
46
47### Response and remediation
48
49- Verify the legitimacy of the event by cross-referencing with known benign activities or scheduled tasks to rule out false positives.
50- Contain any potential threat by isolating affected systems or accounts if suspicious activity is confirmed, preventing further unauthorized access or damage.
51- Remediate by reviewing and adjusting logging configurations to ensure accurate event capture and reduce the risk of adversaries exploiting logging mechanisms.
52- Escalate the incident to the appropriate security team or management if the event correlates with other suspicious activities or if it indicates a potential breach.
53- Enhance detection capabilities by updating alerting rules to include additional context or indicators observed during the investigation, ensuring better identification of similar threats in the future.
54
55This is a test alert.
56
57This alert does not show threat activity. Elastic created this alert to help you understand how alerts work.
58
59For normal rules, the Investigation Guide will help analysts investigate alerts.
60
61This alert will show once every 24 hours for each host. It is safe to disable this rule.
62"""
63references = ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"]
64risk_score = 21
65rule_id = "a198fbbd-9413-45ec-a269-47ae4ccf59ce"
66severity = "low"
67tags = ["Use Case: Guided Onboarding", "Resources: Investigation Guide"]
68timestamp_override = "event.ingested"
69type = "threshold"
70
71query = '''
72event.kind:event
73'''
74
75
76
77[rule.threshold]
78field = ["host.name"]
79value = 1

Triage and analysis

Disclaimer: This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.

Investigating My First Rule

Elastic Security leverages event data to monitor and alert on potential security incidents. The "My First Rule" is a foundational rule designed for onboarding, focusing on event data without indicating a specific threat. Adversaries might exploit event logging to obscure their tracks or trigger false alerts. This rule helps analysts familiarize themselves with event-based alerts, ensuring they can identify and respond to genuine threats effectively.

Possible investigation steps

  • Review the event data associated with the alert to understand the context and source of the event.kind:event.
  • Check the timestamp of the event to determine when the activity occurred and correlate it with other events around the same time.
  • Identify the host or user associated with the event to assess if there is any unusual or unauthorized activity.
  • Examine related logs or events from the same source to identify any patterns or anomalies that could indicate suspicious behavior.
  • Consult with team members or use internal resources to determine if the event is part of normal operations or if it requires further investigation.

False positive analysis

  • Routine system events can trigger alerts, as the rule monitors all event data without filtering for specific threats.
  • Identify and document common non-threatening events that frequently trigger alerts, such as regular system updates or scheduled tasks.
  • Use exceptions to exclude these documented non-threatening events from triggering alerts, reducing noise and focusing on genuine threats.
  • Regularly review and update the list of exceptions to ensure it remains relevant and does not inadvertently exclude new potential threats.
  • Collaborate with IT and operations teams to understand normal event patterns and adjust the rule's exceptions accordingly.

Response and remediation

  • Verify the legitimacy of the event by cross-referencing with known benign activities or scheduled tasks to rule out false positives.
  • Contain any potential threat by isolating affected systems or accounts if suspicious activity is confirmed, preventing further unauthorized access or damage.
  • Remediate by reviewing and adjusting logging configurations to ensure accurate event capture and reduce the risk of adversaries exploiting logging mechanisms.
  • Escalate the incident to the appropriate security team or management if the event correlates with other suspicious activities or if it indicates a potential breach.
  • Enhance detection capabilities by updating alerting rules to include additional context or indicators observed during the investigation, ensuring better identification of similar threats in the future.

This is a test alert.

This alert does not show threat activity. Elastic created this alert to help you understand how alerts work.

For normal rules, the Investigation Guide will help analysts investigate alerts.

This alert will show once every 24 hours for each host. It is safe to disable this rule.

References

Related rules

to-top