Endpoint Security
Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/08"
3integration = ["endpoint"]
4maturity = "production"
5promotion = true
6updated_date = "2024/05/21"
7
8[rule]
9author = ["Elastic"]
10description = """
11Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to
12immediately begin investigating your Endpoint alerts.
13"""
14enabled = true
15from = "now-10m"
16index = ["logs-endpoint.alerts-*"]
17language = "kuery"
18license = "Elastic License v2"
19max_signals = 10000
20name = "Endpoint Security"
21risk_score = 47
22rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
23rule_name_override = "message"
24setup = """## Setup
25
26This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
27
28**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
29
30To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
31
32**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
33severity = "medium"
34tags = ["Data Source: Elastic Defend"]
35timestamp_override = "event.ingested"
36type = "query"
37
38query = '''
39event.kind:alert and event.module:(endpoint and not endgame)
40'''
41
42
43[[rule.exceptions_list]]
44id = "endpoint_list"
45list_id = "endpoint_list"
46namespace_type = "agnostic"
47type = "endpoint"
48
49[[rule.risk_score_mapping]]
50field = "event.risk_score"
51operator = "equals"
52value = ""
53
54[[rule.severity_mapping]]
55field = "event.severity"
56operator = "equals"
57severity = "low"
58value = "21"
59
60[[rule.severity_mapping]]
61field = "event.severity"
62operator = "equals"
63severity = "medium"
64value = "47"
65
66[[rule.severity_mapping]]
67field = "event.severity"
68operator = "equals"
69severity = "high"
70value = "73"
71
72[[rule.severity_mapping]]
73field = "event.severity"
74operator = "equals"
75severity = "critical"
76value = "99"
Related rules
- Access to Keychain Credentials Directories
- Apple Script Execution followed by Network Connection
- Attempt to Clear Kernel Ring Buffer
- Attempt to Disable Gatekeeper
- Attempt to Enable the Root Account