Skip to content

Commit a5411c5

Browse files
brokensound77brokensound77
authored
Add guided onboarding rule (#144065)
1 parent 7ce362c commit a5411c5

2 files changed

Lines changed: 768 additions & 707 deletions

File tree

x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/content/prepackaged_rules/guided_onborading_sample_rule.json

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"author": [
3+
"Elastic"
4+
],
5+
"description": "This rule helps you test and practice using alerts with Elastic Security as you get set up. It\u2019s not a sign of threat activity.",
6+
"enabled": false,
7+
"false_positives": [
8+
"This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts."
9+
],
10+
"from": "now-24h",
11+
"index": [
12+
"apm-*-transaction*",
13+
"auditbeat-*",
14+
"endgame-*",
15+
"filebeat-*",
16+
"logs-*",
17+
"packetbeat-*",
18+
"traces-apm*",
19+
"winlogbeat-*",
20+
"-*elastic-cloud-logs-*"
21+
],
22+
"interval": "24h",
23+
"language": "kuery",
24+
"license": "Elastic License v2",
25+
"max_signals": 1,
26+
"name": "My First Alert",
27+
"note": " \nThis is a test alert.\n\nThis alert does not show threat activity. Elastic created this alert to help you understand how alerts work.\n\nFor normal rules, the Investigation Guide will help analysts investigate alerts.\n\nThis alert will show once every 24 hours for each host. It is safe to disable this rule.\n",
28+
"query": "event.kind:\"event\"\n",
29+
"references": [
30+
"https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"
31+
],
32+
"required_fields": [
33+
{
34+
"ecs": true,
35+
"name": "event.kind",
36+
"type": "keyword"
37+
}
38+
],
39+
"risk_score": 21,
40+
"rule_id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce",
41+
"severity": "low",
42+
"tags": [
43+
"Elastic",
44+
"Example",
45+
"Guided Onboarding",
46+
"Network",
47+
"APM",
48+
"Windows",
49+
"Elastic Endgame"
50+
],
51+
"threshold": {
52+
"field": [
53+
"host.name"
54+
],
55+
"value": 1
56+
},
57+
"timestamp_override": "event.ingested",
58+
"type": "threshold",
59+
"version": 1
60+
}

0 commit comments

Comments
 (0)