Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[New Rule] Endpoint Security Promotion Rules for Specific Events #3533

Merged
merged 80 commits into from
Dec 19, 2024
Merged
Show file tree
Hide file tree
Changes from 23 commits
Commits
Show all changes
80 commits
Select commit Hold shift + click to select a range
5dd7970
new endpoint security rules for specific alerts
terrancedejesus Mar 24, 2024
d47b135
updated risk scores
terrancedejesus Mar 24, 2024
bbd3d90
fixed rule names and UUIDs
terrancedejesus Mar 25, 2024
1f9ff5b
changed logic to use message field for detection vs prevention
terrancedejesus Mar 28, 2024
2539301
reverting changes
terrancedejesus Mar 28, 2024
b3c1393
reverting changes
terrancedejesus Mar 28, 2024
fb760f2
reverting to old commit
terrancedejesus Mar 28, 2024
36c1984
Merge branch 'new-rule-endpoint-security-promotions' of github.com:el…
terrancedejesus Mar 28, 2024
9030c6c
reverting to old commit
terrancedejesus Mar 28, 2024
552f2b2
reverting to old commit
terrancedejesus Mar 28, 2024
cb7ec5a
reverting to old commit
terrancedejesus Mar 28, 2024
ecae598
changed naming to Elastic Defend
terrancedejesus Mar 28, 2024
afd46f1
Merge branch 'main' into new-rule-endpoint-security-promotions
Mikaayenson Oct 31, 2024
c3f810a
updated rule dates and min-stacks
terrancedejesus Nov 26, 2024
ae08779
Merge branch 'main' into new-rule-endpoint-security-promotions
terrancedejesus Nov 26, 2024
6e581ff
linted; adjusted queries
terrancedejesus Nov 27, 2024
4b38614
updated ransomware, memory sig or shellcode risk
terrancedejesus Nov 27, 2024
bb0a2bc
Update rules/integrations/endpoint/elastic_endpoint_security.toml
terrancedejesus Nov 27, 2024
3e1b410
updated promotion rule
terrancedejesus Nov 27, 2024
fd95cde
fixed typos in naming
terrancedejesus Nov 27, 2024
8845a7b
updated setup guides
terrancedejesus Nov 27, 2024
23930b0
Merge branch 'main' into new-rule-endpoint-security-promotions
terrancedejesus Nov 27, 2024
7f5dd68
added intervals
terrancedejesus Nov 27, 2024
45931d8
added MITRE
Samirbous Dec 11, 2024
3a897ae
added investigation guide for Memory Threat
Samirbous Dec 11, 2024
1f92fa7
++
Samirbous Dec 11, 2024
72d6176
++
Samirbous Dec 11, 2024
0e0dddc
Update rules/integrations/endpoint/elastic_endpoint_security_behavior…
terrancedejesus Dec 12, 2024
a81c0d9
Update rules/integrations/endpoint/elastic_endpoint_security_memory_s…
terrancedejesus Dec 12, 2024
e8d1f11
Update rules/integrations/endpoint/elastic_endpoint_security_memory_s…
terrancedejesus Dec 12, 2024
716c603
Update rules/integrations/endpoint/elastic_endpoint_security_maliciou…
terrancedejesus Dec 12, 2024
c691843
Update rules/integrations/endpoint/elastic_endpoint_security_memory_s…
terrancedejesus Dec 12, 2024
acc55d2
Update rules/integrations/endpoint/elastic_endpoint_security_memory_s…
terrancedejesus Dec 12, 2024
5a085c8
Update rules/integrations/endpoint/elastic_endpoint_security_ransomwa…
terrancedejesus Dec 12, 2024
d841644
Update rules/integrations/endpoint/elastic_endpoint_security_ransomwa…
terrancedejesus Dec 12, 2024
a0876a5
++
Samirbous Dec 14, 2024
784f864
++
Samirbous Dec 14, 2024
bbe0c00
++
Samirbous Dec 14, 2024
943811a
++
Samirbous Dec 14, 2024
5b58649
Update rules/integrations/endpoint/elastic_endpoint_security.toml
Samirbous Dec 14, 2024
0ded2c0
Update rules/integrations/endpoint/elastic_endpoint_security_behavior…
Samirbous Dec 14, 2024
3ae6c43
Update rules/integrations/endpoint/elastic_endpoint_security_behavior…
Samirbous Dec 14, 2024
1f16839
Update rules/integrations/endpoint/elastic_endpoint_security_maliciou…
Samirbous Dec 14, 2024
a24862a
Update rules/integrations/endpoint/elastic_endpoint_security_memory_s…
Samirbous Dec 14, 2024
2d65d08
++
Samirbous Dec 18, 2024
a9be33f
++
Samirbous Dec 18, 2024
efd8cae
++
Samirbous Dec 18, 2024
b8bdc7d
Update rules/integrations/endpoint/elastic_endpoint_security_behavior…
Samirbous Dec 18, 2024
32d6b5b
Update rules/integrations/endpoint/execution_elastic_malicious_file_d…
Samirbous Dec 18, 2024
9cd5612
Update rules/integrations/endpoint/impact_elastic_ransomware_detected…
Samirbous Dec 18, 2024
7dc21c0
Update rules/integrations/endpoint/elastic_endpoint_security_behavior…
Samirbous Dec 18, 2024
e906e12
Update rules/integrations/endpoint/execution_elastic_malicious_file_p…
Samirbous Dec 18, 2024
55c4d15
Update rules/integrations/endpoint/impact_elastic_ransomware_prevente…
Samirbous Dec 18, 2024
09b6a6d
Update rules/integrations/endpoint/defense_evasion_elastic_memory_thr…
Samirbous Dec 18, 2024
91a7814
Update rules/integrations/endpoint/defense_evasion_elastic_memory_thr…
Samirbous Dec 18, 2024
614a4e5
Update rules/integrations/endpoint/elastic_endpoint_security_behavior…
Samirbous Dec 18, 2024
61641e9
Update rules/integrations/endpoint/elastic_endpoint_security_behavior…
Samirbous Dec 18, 2024
47d2680
Update rules/integrations/endpoint/elastic_endpoint_security_behavior…
Samirbous Dec 18, 2024
99d5294
Update rules/integrations/endpoint/execution_elastic_malicious_file_d…
Samirbous Dec 18, 2024
a424067
Update rules/integrations/endpoint/execution_elastic_malicious_file_d…
Samirbous Dec 18, 2024
7e6dbcf
Update rules/integrations/endpoint/execution_elastic_malicious_file_p…
Samirbous Dec 18, 2024
661ebb1
Update rules/integrations/endpoint/execution_elastic_malicious_file_p…
Samirbous Dec 18, 2024
a547658
Update rules/integrations/endpoint/execution_elastic_malicious_file_p…
Samirbous Dec 18, 2024
4114261
Update rules/integrations/endpoint/impact_elastic_ransomware_detected…
Samirbous Dec 18, 2024
36e5e48
Update rules/integrations/endpoint/impact_elastic_ransomware_detected…
Samirbous Dec 18, 2024
72443d4
Update rules/integrations/endpoint/impact_elastic_ransomware_detected…
Samirbous Dec 18, 2024
0382942
Update rules/integrations/endpoint/impact_elastic_ransomware_prevente…
Samirbous Dec 18, 2024
ddef417
Update rules/integrations/endpoint/impact_elastic_ransomware_prevente…
Samirbous Dec 18, 2024
c91de4e
Update rules/integrations/endpoint/defense_evasion_elastic_memory_thr…
Samirbous Dec 18, 2024
09098c6
Update rules/integrations/endpoint/impact_elastic_ransomware_prevente…
Samirbous Dec 18, 2024
30c0d1a
Update rules/integrations/endpoint/defense_evasion_elastic_memory_thr…
Samirbous Dec 18, 2024
fd86f63
Update rules/integrations/endpoint/defense_evasion_elastic_memory_thr…
Samirbous Dec 18, 2024
a7be955
Update rules/integrations/endpoint/defense_evasion_elastic_memory_thr…
Samirbous Dec 18, 2024
4d45523
Update defense_evasion_elastic_memory_threat_prevented.toml
Samirbous Dec 18, 2024
d343994
toml-lint
Samirbous Dec 18, 2024
1e7f000
Update rules/integrations/endpoint/execution_elastic_malicious_file_d…
Samirbous Dec 18, 2024
90869e8
Merge branch 'main' into new-rule-endpoint-security-promotions
Mikaayenson Dec 18, 2024
e1b565d
++
Samirbous Dec 19, 2024
9f76999
Merge branch 'new-rule-endpoint-security-promotions' of https://githu…
Samirbous Dec 19, 2024
b78a44f
Merge branch 'main' into new-rule-endpoint-security-promotions
terrancedejesus Dec 19, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
31 changes: 26 additions & 5 deletions rules/integrations/endpoint/elastic_endpoint_security.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,13 +2,15 @@
creation_date = "2020/07/08"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
promotion = true
updated_date = "2024/05/21"
updated_date = "2024/11/27"

[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to
Generates a detection alert each time an Elastic Defend alert is received. Enabling this rule allows you to
immediately begin investigating your Endpoint alerts.
"""
enabled = true
Expand All @@ -17,19 +19,38 @@ index = ["logs-endpoint.alerts-*"]
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Endpoint Security"
name = "Endpoint Security (Elastic Defend)"

risk_score = 47
rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306"
rule_name_override = "message"
setup = """## Setup
setup = """
## Setup

### Elastic Defend Alerts
If this rule is disabled, you will not receive alerts for Elastic Defend alerts. This rule is designed to capture all alerts generated by Elastic Defend. For more granular alerting, consider using additional prebuilt-rules that capture specific Elastic Defend alerts.

If this rule is enabled, along with the related rules listed below, you will receive duplicate alerts for the same events. To avoid this, it is recommended to disable this generic rule and enable the more specific rules that capture these alerts separately.

Related rules:
- Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)
- Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)
- Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)
- Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)
- Memory Signature - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)
- Memory Signature - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)
Samirbous marked this conversation as resolved.
Show resolved Hide resolved
- Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)
- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects."""
**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
"""
severity = "medium"
tags = ["Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
[metadata]
creation_date = "2024/03/24"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
Samirbous marked this conversation as resolved.
Show resolved Hide resolved
min_stack_version = "8.16.0"
promotion = true
updated_date = "2024/11/26"

[rule]
author = ["Elastic"]
description = """
terrancedejesus marked this conversation as resolved.
Show resolved Hide resolved
Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule
allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Elastic Defend
behavior detections only, and does not include prevention alerts.
"""
enabled = true
Samirbous marked this conversation as resolved.
Show resolved Hide resolved
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
interval = "5m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Behavior - Detected - Elastic Defend"
references = [
"https://github.com/elastic/protections-artifacts/tree/main/behavior",
"https://docs.elastic.co/en/integrations/endpoint",
]
risk_score = 47
rule_id = "0f615fe4-eaa2-11ee-ae33-f661ea17fbce"
rule_name_override = "message"
setup = """
## Setup

### Elastic Defend Alerts
This rule is designed to capture specific alerts generated by Elastic Defend.

To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules:

Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)
Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)
Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)
Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)
Memory Signature - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)
Memory Signature - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)
Samirbous marked this conversation as resolved.
Show resolved Hide resolved
Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)
Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)

To avoid creation of duplicate alerts, all rules mentioned above or the Elastic Defend rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306) should be enabled.
natasha-moore-elastic marked this conversation as resolved.
Show resolved Hide resolved
terrancedejesus marked this conversation as resolved.
Show resolved Hide resolved

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
"""
severity = "medium"
tags = ["Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.kind : alert and event.code : behavior and (event.type : allowed or (event.type: denied and event.outcome: failure))
'''


[[rule.exceptions_list]]
id = "endpoint_list"
list_id = "endpoint_list"
namespace_type = "agnostic"
type = "endpoint"

[[rule.risk_score_mapping]]
field = "event.risk_score"
operator = "equals"
value = ""

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "low"
value = "21"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "medium"
value = "47"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "high"
value = "73"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "critical"
value = "99"


Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
[metadata]
creation_date = "2024/03/24"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
Samirbous marked this conversation as resolved.
Show resolved Hide resolved
min_stack_version = "8.16.0"
promotion = true
updated_date = "2024/11/26"

[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Defend alert for malicious behavior is received. Enabling this rule
allows you to immediately begin investigating your Endpoint behavior alerts. This rule identifies Elastic Defend
behavior preventions only, and does not include detection only alerts.
"""
enabled = true
Samirbous marked this conversation as resolved.
Show resolved Hide resolved
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
interval = "5m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Behavior - Prevented - Elastic Defend"
references = [
"https://github.com/elastic/protections-artifacts/tree/main/behavior",
"https://docs.elastic.co/en/integrations/endpoint",
]
risk_score = 21
rule_id = "eb804972-ea34-11ee-a417-f661ea17fbce"
rule_name_override = "message"
setup = """
## Setup

### Elastic Defend Alerts
This rule is designed to capture specific alerts generated by Elastic Defend.

To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules:

Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)
Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)
Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)
Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)
Memory Signature - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)
Memory Signature - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)
Samirbous marked this conversation as resolved.
Show resolved Hide resolved
Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)
Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)

To avoid creation of duplicate alerts, all rules mentioned above or the Elastic Defend rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306) should be enabled.
Samirbous marked this conversation as resolved.
Show resolved Hide resolved

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
"""
severity = "low"
tags = ["Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.kind : alert and event.code : behavior and event.type : denied and event.outcome : success
'''


[[rule.exceptions_list]]
id = "endpoint_list"
list_id = "endpoint_list"
namespace_type = "agnostic"
type = "endpoint"

[[rule.risk_score_mapping]]
field = "event.risk_score"
operator = "equals"
value = ""

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "low"
value = "21"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "medium"
value = "47"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "high"
value = "73"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "critical"
value = "99"


Original file line number Diff line number Diff line change
@@ -0,0 +1,105 @@
[metadata]
creation_date = "2024/03/24"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.16.0"
promotion = true
updated_date = "2024/11/26"

[rule]
author = ["Elastic"]
description = """
Generates a detection alert each time an Elastic Defend alert for malicious files is received. Enabling this rule allows
you to immediately begin investigating your Endpoint malicious file alerts. This rule identifies Elastic Defend
malicious file detections only, and does not include prevention alerts.
"""
enabled = true
from = "now-10m"
index = ["logs-endpoint.alerts-*"]
interval = "5m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
name = "Malicious File - Detected - Elastic Defend"
references = [
"https://github.com/elastic/protections-artifacts/tree/main/yara",
"https://docs.elastic.co/en/integrations/endpoint",
]
risk_score = 47
rule_id = "f2c3caa6-ea34-11ee-a417-f661ea17fbce"
rule_name_override = "message"
setup = """
## Setup

### Elastic Defend Alerts
This rule is designed to capture specific alerts generated by Elastic Defend.

To capture all the Elastic Defend alerts, it is recommended to use all of the Elastic Defend feature-specific protection rules:

Behavior - Detected - Elastic Defend (UUID: 0f615fe4-eaa2-11ee-ae33-f661ea17fbce)
Behavior - Prevented - Elastic Defend (UUID: eb804972-ea34-11ee-a417-f661ea17fbce)
Malicious File - Detected - Elastic Defend (UUID: f2c3caa6-ea34-11ee-a417-f661ea17fbce)
Malicious File - Prevented - Elastic Defend (UUID: f87e6122-ea34-11ee-a417-f661ea17fbce)
Memory Signature - Detected - Elastic Defend (UUID: 017de1e4-ea35-11ee-a417-f661ea17fbce)
Memory Signature - Prevented - Elastic Defend (UUID: 06f3a26c-ea35-11ee-a417-f661ea17fbce)
Samirbous marked this conversation as resolved.
Show resolved Hide resolved
Ransomware - Detected - Elastic Defend (UUID: 0c74cd7e-ea35-11ee-a417-f661ea17fbce)
Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)

To avoid creation of duplicate alerts, all rules mentioned above or the Elastic Defend rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306) should be enabled.

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
"""
severity = "medium"
tags = ["Data Source: Elastic Defend"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.kind : alert and event.code : malicious_file and (event.type : allowed or (event.type: denied and event.outcome: failure))
'''


[[rule.exceptions_list]]
id = "endpoint_list"
list_id = "endpoint_list"
namespace_type = "agnostic"
type = "endpoint"

[[rule.risk_score_mapping]]
field = "event.risk_score"
operator = "equals"
value = ""

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "low"
value = "21"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "medium"
value = "47"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "high"
value = "73"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "critical"
value = "99"


Loading
Loading