External Alerts
Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.
Elastic rule (View on GitHub)
1[metadata]
2creation_date = "2020/07/08"
3maturity = "production"
4promotion = true
5updated_date = "2024/05/21"
6
7[rule]
8author = ["Elastic"]
9description = """
10Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to
11immediately begin investigating external alerts in the app.
12"""
13index = [
14 "apm-*-transaction*",
15 "traces-apm*",
16 "auditbeat-*",
17 "filebeat-*",
18 "logs-*",
19 "packetbeat-*",
20 "winlogbeat-*",
21]
22language = "kuery"
23license = "Elastic License v2"
24max_signals = 10000
25name = "External Alerts"
26risk_score = 47
27rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa"
28rule_name_override = "message"
29setup = """## Setup
30
31This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
32
33**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
34
35To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
36
37**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
38severity = "medium"
39tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"]
40timestamp_override = "event.ingested"
41type = "query"
42
43query = '''
44event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)
45'''
46
47
48[[rule.risk_score_mapping]]
49field = "event.risk_score"
50operator = "equals"
51value = ""
52
53[[rule.severity_mapping]]
54field = "event.severity"
55operator = "equals"
56severity = "low"
57value = "21"
58
59[[rule.severity_mapping]]
60field = "event.severity"
61operator = "equals"
62severity = "medium"
63value = "47"
64
65[[rule.severity_mapping]]
66field = "event.severity"
67operator = "equals"
68severity = "high"
69value = "73"
70
71[[rule.severity_mapping]]
72field = "event.severity"
73operator = "equals"
74severity = "critical"
75value = "99"
Related rules
- Elastic Agent Service Terminated
- Hosts File Modified
- Potential Cookies Theft via Browser Debugging
- Suspicious File Downloaded from Google Drive
- WebServer Access Logs Deleted