Skip to content
Merged
Show file tree
Hide file tree
Changes from 9 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This kind of rule shouldn't need to be troubleshooted, we are limiting it on purpose

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We are just adding a consistent setup guide note on all rules with max_signals. The value of this rule is untouched

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh i see the point of adding troubleshoot guide. But the thought proccess was to add a consistent setup guide across, If this is not a valid information for users, we can limit to the promotion rules only @w0rk3r

Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/12/21"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2025/03/20"
updated_date = "2025/03/24"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -68,6 +68,12 @@ references = [
]
risk_score = 47
rule_id = "027ff9ea-85e7-42e3-99d2-bbb7069e02eb"
setup = """## Setup

### Additional notes

For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "medium"
tags = [
"Domain: Endpoint",
Expand Down
6 changes: 5 additions & 1 deletion rules/cross-platform/defense_evasion_timestomp_touch.toml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/11/03"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/03/24"

[rule]
author = ["Elastic"]
Expand All @@ -25,6 +25,10 @@ events will not define `event.ingested` and default fallback for EQL rules was n
Hence for this rule to work effectively, users will need to add a custom ingest pipeline to populate
`event.ingested` to @timestamp.
For more details on adding a custom ingest pipeline refer - https://www.elastic.co/guide/en/fleet/current/data-streams-pipeline-tutorial.html

### Additional notes

For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "medium"
tags = [
Expand Down
8 changes: 7 additions & 1 deletion rules/cross-platform/guided_onboarding_sample_rule.toml
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
[metadata]
creation_date = "2022/09/22"
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/03/24"

[rule]
author = ["Elastic"]
Expand Down Expand Up @@ -63,6 +63,12 @@ This alert will show once every 24 hours for each host. It is safe to disable th
references = ["https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"]
risk_score = 21
rule_id = "a198fbbd-9413-45ec-a269-47ae4ccf59ce"
setup = """## Setup

### Additional notes

For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "low"
tags = ["Use Case: Guided Onboarding", "Resources: Investigation Guide"]
timestamp_override = "event.ingested"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2020/04/23"
integration = ["endpoint"]
maturity = "production"
updated_date = "2025/01/15"
updated_date = "2025/03/24"

[rule]
author = ["Elastic"]
Expand All @@ -22,6 +22,12 @@ name = "SUID/SGID Bit Set"
references = ["https://www.elastic.co/security-labs/primer-on-persistence-mechanisms"]
risk_score = 21
rule_id = "8a1b0278-0f9a-487d-96bd-d4833298e87a"
setup = """## Setup

### Additional notes

For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "low"
tags = [
"Domain: Endpoint",
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ maturity = "production"
min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
min_stack_version = "8.16.0"
promotion = true
updated_date = "2025/02/06"
updated_date = "2025/03/21"

[rule]
author = ["Elastic"]
Expand All @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
max_signals = 1000
name = "Memory Threat - Detected - Elastic Defend"
note = """## Triage and analysis

Expand Down Expand Up @@ -102,13 +102,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
Comment thread
shashank-elastic marked this conversation as resolved.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
For information on troubleshooting the maximum alerts warning, please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).

Small adjust

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@approksiu thoughts on this, as we have derived this from the issue template.

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good! I am fine with the change

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would need to be changed across all rules in this PR

"""
severity = "high"
tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ maturity = "production"
min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
min_stack_version = "8.16.0"
promotion = true
updated_date = "2025/02/06"
updated_date = "2025/03/21"

[rule]
author = ["Elastic"]
Expand All @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
max_signals = 1000
name = "Memory Threat - Prevented- Elastic Defend"
note = """## Triage and analysis

Expand Down Expand Up @@ -101,13 +101,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "high"
tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"]
Expand Down
11 changes: 3 additions & 8 deletions rules/integrations/endpoint/elastic_endpoint_security.toml
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ creation_date = "2020/07/08"
integration = ["endpoint"]
maturity = "production"
promotion = true
updated_date = "2025/03/20"
updated_date = "2025/03/21"

[rule]
author = ["Elastic"]
Expand All @@ -17,7 +17,7 @@ index = ["logs-endpoint.alerts-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
max_signals = 1000
name = "Endpoint Security (Elastic Defend)"
note = """## Triage and analysis

Expand Down Expand Up @@ -75,13 +75,8 @@ Related rules:
- Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "medium"
tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ maturity = "production"
min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
min_stack_version = "8.16.0"
promotion = true
updated_date = "2025/02/06"
updated_date = "2025/03/21"

[rule]
author = ["Elastic"]
Expand All @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
max_signals = 1000
name = "Behavior - Detected - Elastic Defend"
note = """## Triage and analysis

Expand Down Expand Up @@ -85,13 +85,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "medium"
tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ maturity = "production"
min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
min_stack_version = "8.16.0"
promotion = true
updated_date = "2025/02/06"
updated_date = "2025/03/21"

[rule]
author = ["Elastic"]
Expand All @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
max_signals = 1000
name = "Behavior - Prevented - Elastic Defend"
note = """## Triage and analysis

Expand Down Expand Up @@ -86,13 +86,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "low"
tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ maturity = "production"
min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
min_stack_version = "8.16.0"
promotion = true
updated_date = "2025/02/06"
updated_date = "2025/03/21"

[rule]
author = ["Elastic"]
Expand All @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
max_signals = 1000
name = "Malicious File - Detected - Elastic Defend"
note = """## Triage and analysis

Expand Down Expand Up @@ -93,13 +93,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "medium"
tags = ["Data Source: Elastic Defend", "Tactic: Execution", "Resources: Investigation Guide"]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ maturity = "production"
min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
min_stack_version = "8.16.0"
promotion = true
updated_date = "2025/02/06"
updated_date = "2025/03/21"

[rule]
author = ["Elastic"]
Expand All @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
max_signals = 1000
name = "Malicious File - Prevented - Elastic Defend"
note = """## Triage and analysis

Expand Down Expand Up @@ -93,13 +93,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "low"
tags = ["Data Source: Elastic Defend", "Tactic: Execution", "Resources: Investigation Guide"]
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ maturity = "production"
min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
min_stack_version = "8.16.0"
promotion = true
updated_date = "2025/02/06"
updated_date = "2025/03/21"

[rule]
author = ["Elastic"]
Expand All @@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 10000
max_signals = 1000
name = "Ransomware - Detected - Elastic Defend"
note = """## Triage and analysis

Expand Down Expand Up @@ -84,13 +84,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).

### Additional notes
This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.

**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.

To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.

**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "high"
tags = ["Data Source: Elastic Defend", "Tactic: Impact", "Resources: Investigation Guide"]
Expand Down
Loading