External Alerts

calendar Jan 17, 2024 · OS: Windows Data Source: APM OS: macOS OS: Linux  ·
Share on: linkedin copy

Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.

Elastic rule (View on GitHub)

 1[metadata]
 2creation_date = "2020/07/08"
 3maturity = "production"
 4min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 5min_stack_version = "8.3.0"
 6updated_date = "2024/01/17"
 7promotion = true
 8
 9[rule]
10author = ["Elastic"]
11description = """
12Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to
13immediately begin investigating external alerts in the app.
14"""
15index = ["apm-*-transaction*", "traces-apm*", "auditbeat-*", "filebeat-*", "logs-*", "packetbeat-*", "winlogbeat-*"]
16language = "kuery"
17license = "Elastic License v2"
18max_signals = 10000
19name = "External Alerts"
20risk_score = 47
21rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa"
22rule_name_override = "message"
23severity = "medium"
24tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"]
25timestamp_override = "event.ingested"
26type = "query"
27
28query = '''
29event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)
30'''
31
32
33[[rule.risk_score_mapping]]
34field = "event.risk_score"
35operator = "equals"
36value = ""
37
38[[rule.severity_mapping]]
39field = "event.severity"
40operator = "equals"
41value = "21"
42severity = "low"
43
44[[rule.severity_mapping]]
45field = "event.severity"
46operator = "equals"
47value = "47"
48severity = "medium"
49
50[[rule.severity_mapping]]
51field = "event.severity"
52operator = "equals"
53value = "73"
54severity = "high"
55
56[[rule.severity_mapping]]
57field = "event.severity"
58operator = "equals"
59value = "99"
60severity = "critical"

Related rules

to-top