Endpoint Security (Elastic Defend)

 1[metadata]
 2creation_date = "2020/07/08"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7promotion = true
 8updated_date = "2024/11/27"
 9
10[rule]
11author = ["Elastic"]
12description = """
13Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to
14immediately begin investigating your Endpoint alerts.
15"""
16enabled = true
17from = "now-10m"
18index = ["logs-endpoint.alerts-*"]
19language = "kuery"
20license = "Elastic License v2"
21max_signals = 10000
22name = "Endpoint Security (Elastic Defend)"
23
24risk_score = 47
25rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
26rule_name_override = "message"
27setup = """
28## Setup
29
30### Elastic Defend Alerts
31If this rule is disabled, you will not receive alerts for Elastic Defend alerts. This rule is designed to capture all alerts generated by Elastic Defend. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Defend alerts.
32
33If this rule is enabled, along with the related rules listed below, you will receive duplicate alerts for the same events. To avoid this, it is recommended to disable this generic rule and enable the more specific rules that capture these alerts separately.
34
35Related rules:
36- Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)
37- Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)
38- Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)
39- Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)
40- Memory Threat - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)
41- Memory Threat - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)
42- Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)
43- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)
44
45### Additional notes
46This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
47
48**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
49
50To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
51
52**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
53"""
54severity = "medium"
55tags = ["Data Source: Elastic Defend"]
56timestamp_override = "event.ingested"
57type = "query"
58
59query = '''
60event.kind:alert and event.module:(endpoint and not endgame)
61'''
62
63
64[[rule.exceptions_list]]
65id = "endpoint_list"
66list_id = "endpoint_list"
67namespace_type = "agnostic"
68type = "endpoint"
69
70[[rule.risk_score_mapping]]
71field = "event.risk_score"
72operator = "equals"
73value = ""
74
75[[rule.severity_mapping]]
76field = "event.severity"
77operator = "equals"
78severity = "low"
79value = "21"
80
81[[rule.severity_mapping]]
82field = "event.severity"
83operator = "equals"
84severity = "medium"
85value = "47"
86
87[[rule.severity_mapping]]
88field = "event.severity"
89operator = "equals"
90severity = "high"
91value = "73"
92
93[[rule.severity_mapping]]
94field = "event.severity"
95operator = "equals"
96severity = "critical"
97value = "99"