Endpoint Security

Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/07/08"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/06/22"
 8promotion = true
 9
10[rule]
11author = ["Elastic"]
12description = """
13Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to
14immediately begin investigating your Endpoint alerts.
15"""
16enabled = true
17from = "now-10m"
18index = ["logs-endpoint.alerts-*"]
19language = "kuery"
20license = "Elastic License v2"
21max_signals = 10000
22name = "Endpoint Security"
23risk_score = 47
24rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
25rule_name_override = "message"
26severity = "medium"
27tags = ["Data Source: Elastic Defend"]
28timestamp_override = "event.ingested"
29type = "query"
30
31query = '''
32event.kind:alert and event.module:(endpoint and not endgame)
33'''
34
35
36[[rule.exceptions_list]]
37id = "endpoint_list"
38list_id = "endpoint_list"
39namespace_type = "agnostic"
40type = "endpoint"
41
42[[rule.risk_score_mapping]]
43field = "event.risk_score"
44operator = "equals"
45value = ""
46
47[[rule.severity_mapping]]
48field = "event.severity"
49operator = "equals"
50severity = "low"
51value = "21"
52
53[[rule.severity_mapping]]
54field = "event.severity"
55operator = "equals"
56severity = "medium"
57value = "47"
58
59[[rule.severity_mapping]]
60field = "event.severity"
61operator = "equals"
62severity = "high"
63value = "73"
64
65[[rule.severity_mapping]]
66field = "event.severity"
67operator = "equals"
68severity = "critical"
69value = "99"

to-top