From e3a8ab147323aa38561b233fb1087ad2658c8005 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Mon, 13 May 2024 15:44:11 -0500 Subject: [PATCH 1/6] Add max_signal note, unit test, and rule tuning --- .../container_workload_protection.toml | 6 +++++- .../endpoint/elastic_endpoint_security.toml | 6 +++++- ...ial_access_endgame_cred_dumping_detected.toml | 6 +++++- ...al_access_endgame_cred_dumping_prevented.toml | 6 +++++- .../endgame_adversary_behavior_detected.toml | 6 +++++- rules/promotions/endgame_malware_detected.toml | 6 +++++- rules/promotions/endgame_malware_prevented.toml | 6 +++++- .../promotions/endgame_ransomware_detected.toml | 6 +++++- .../promotions/endgame_ransomware_prevented.toml | 6 +++++- .../execution_endgame_exploit_detected.toml | 6 +++++- .../execution_endgame_exploit_prevented.toml | 6 +++++- rules/promotions/external_alerts.toml | 6 +++++- ...ation_endgame_cred_manipulation_detected.toml | 6 +++++- ...tion_endgame_cred_manipulation_prevented.toml | 6 +++++- ...lation_endgame_permission_theft_detected.toml | 6 +++++- ...ation_endgame_permission_theft_prevented.toml | 6 +++++- ...ation_endgame_process_injection_detected.toml | 6 +++++- ...tion_endgame_process_injection_prevented.toml | 6 +++++- tests/test_all_rules.py | 16 +++++++++++++++- 19 files changed, 105 insertions(+), 19 deletions(-) diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index 4f6840a97e0..b34c172ce1f 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -4,7 +4,7 @@ integration = ["cloud_defend"] maturity = "production" min_stack_comments = "Initial version of the Container Workload Protection alerts" min_stack_version = "8.8.0" -updated_date = "2023/06/22" +updated_date = "2024/05/13" [rule] author = ["Elastic"] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Container Workload Protection" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512" rule_name_override = "message" diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index 750c639c338..ca5c33eaafd 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -4,7 +4,7 @@ integration = ["endpoint"] maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2023/06/22" +updated_date = "2024/05/13" promotion = true [rule] @@ -20,6 +20,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Endpoint Security" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" rule_name_override = "message" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index d852586dfdd..c33b6cd19fe 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Credential Dumping - Detected - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" severity = "high" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index b9fa0659969..42726fd56e3 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Credential Dumping - Prevented - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" severity = "medium" diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index bb6f24a7023..e4b882c8e24 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Adversary Behavior - Detected - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" severity = "medium" diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index f0e30664fda..4f9721d05dc 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Malware - Detected - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" severity = "critical" diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index cf572bfff5b..20c8c44ad69 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Malware - Prevented - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" severity = "high" diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index d3fbddb0177..752c3976e56 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Ransomware - Detected - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" severity = "critical" diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 647d48bfd68..1866b889aa0 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Ransomware - Prevented - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" severity = "high" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index bd0793465ea..fd0d3cdf429 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Exploit - Detected - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" severity = "high" diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index e830ee43dd4..7ffb8d61fd6 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Exploit - Prevented - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" severity = "medium" diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index dc709e80372..620027211b3 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -3,7 +3,7 @@ creation_date = "2020/07/08" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -17,6 +17,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "External Alerts" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa" rule_name_override = "message" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index 61bd18b6fa4..a66351b5756 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Credential Manipulation - Detected - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" severity = "high" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index 45426c07a57..ca37c8ec2fd 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Credential Manipulation - Prevented - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" severity = "medium" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index aee92083b25..29dcbc7e3d8 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Permission Theft - Detected - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" severity = "high" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index 1671ec4011f..ec68bf20131 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Permission Theft - Prevented - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" severity = "medium" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index 0e874f5bf58..f546bacb11d 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Process Injection - Detected - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" severity = "high" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index cbfacfd1bc9..7039391bea7 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -3,7 +3,7 @@ creation_date = "2020/02/18" maturity = "production" min_stack_comments = "New fields added: required_fields, related_integrations, setup" min_stack_version = "8.3.0" -updated_date = "2024/01/17" +updated_date = "2024/05/13" promotion = true [rule] @@ -19,6 +19,10 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Process Injection - Prevented - Elastic Endgame" +note = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" severity = "medium" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index c66563c34a3..79dd4292614 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -147,6 +147,20 @@ def build_rule(query, bbr_type="default", from_field="now-120m", interval="60m") with self.assertRaises(ValidationError): build_rule(query=query, from_field="now-10m", interval="10m") + def test_max_signals_note(self): + """Ensure the max_signals note is present when max_signals > 1000.""" + max_signal_standard_note = 'The `max_signals` field is set to a value greater than the default value (1000) ' \ + 'set by `system_limit`. This is to ensure that all alerts are captured.\n' \ + 'To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` '\ + 'setting in the Kibana config.' + for rule in self.all_rules: + if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000: + self.assertIsNotNone(rule.contents.data.note, f'{self.rule_str(rule)} note required for max_signals > 1000') + if max_signal_standard_note not in rule.contents.data.note: + self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n' + f'Expected: {max_signal_standard_note}\n\n' + f'Actual: {rule.contents.data.note}') + class TestThreatMappings(BaseRuleTest): """Test threat mapping data for rules.""" @@ -870,7 +884,7 @@ def test_integration_guide(self): note_str = integration_notes.get(integration) if note_str: - self.assert_(rule.contents.data.note, f'{self.rule_str(rule)} note required for config information') + self.assertIsNotNone(rule.contents.data.note, f'{self.rule_str(rule)} note required for config information') if note_str not in rule.contents.data.note: self.fail(f'{self.rule_str(rule)} expected {integration} config missing\n\n' From ee18cc02274a0dfda2cc1df164cf8a3a337f044d Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Mon, 13 May 2024 15:51:46 -0500 Subject: [PATCH 2/6] skip E501 --- tests/test_all_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 79dd4292614..8a5e951fde4 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -155,7 +155,7 @@ def test_max_signals_note(self): 'setting in the Kibana config.' for rule in self.all_rules: if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000: - self.assertIsNotNone(rule.contents.data.note, f'{self.rule_str(rule)} note required for max_signals > 1000') + self.assertIsNotNone(rule.contents.data.note, f'{self.rule_str(rule)} note required for max_signals > 1000') # noqa: E501 if max_signal_standard_note not in rule.contents.data.note: self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n' f'Expected: {max_signal_standard_note}\n\n' @@ -884,7 +884,7 @@ def test_integration_guide(self): note_str = integration_notes.get(integration) if note_str: - self.assertIsNotNone(rule.contents.data.note, f'{self.rule_str(rule)} note required for config information') + self.assertIsNotNone(rule.contents.data.note, f'{self.rule_str(rule)} note required for config information') # noqa: E501 if note_str not in rule.contents.data.note: self.fail(f'{self.rule_str(rule)} expected {integration} config missing\n\n' From f1e55b615b0aca85d96d52829740f06edda8a14e Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Mon, 13 May 2024 16:52:30 -0500 Subject: [PATCH 3/6] Use setup field --- .../container_workload_protection.toml | 8 ++++---- .../endpoint/elastic_endpoint_security.toml | 8 ++++---- ...ntial_access_endgame_cred_dumping_detected.toml | 6 +++--- ...tial_access_endgame_cred_dumping_prevented.toml | 6 +++--- .../endgame_adversary_behavior_detected.toml | 6 +++--- rules/promotions/endgame_malware_detected.toml | 6 +++--- rules/promotions/endgame_malware_prevented.toml | 6 +++--- rules/promotions/endgame_ransomware_detected.toml | 6 +++--- rules/promotions/endgame_ransomware_prevented.toml | 6 +++--- .../execution_endgame_exploit_detected.toml | 6 +++--- .../execution_endgame_exploit_prevented.toml | 6 +++--- rules/promotions/external_alerts.toml | 8 ++++---- ...alation_endgame_cred_manipulation_detected.toml | 6 +++--- ...lation_endgame_cred_manipulation_prevented.toml | 6 +++--- ...calation_endgame_permission_theft_detected.toml | 6 +++--- ...alation_endgame_permission_theft_prevented.toml | 6 +++--- ...alation_endgame_process_injection_detected.toml | 6 +++--- ...lation_endgame_process_injection_prevented.toml | 6 +++--- tests/test_all_rules.py | 14 +++++++------- 19 files changed, 64 insertions(+), 64 deletions(-) diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index b34c172ce1f..504527fdca1 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -19,13 +19,13 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Container Workload Protection" -note = """## Setup - -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512" rule_name_override = "message" +setup = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" severity = "medium" tags = ["Data Source: Elastic Defend for Containers", "Domain: Container"] timestamp_override = "event.ingested" diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index ca5c33eaafd..5695d413de4 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -20,13 +20,13 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Endpoint Security" -note = """## Setup - -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" rule_name_override = "message" +setup = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" severity = "medium" tags = ["Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index c33b6cd19fe..416c532ea8e 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Credential Dumping - Detected - Elastic Endgame" -note = """## Setup +risk_score = 73 +rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 73 -rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "query" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 42726fd56e3..09b05bafd9f 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Credential Dumping - Prevented - Elastic Endgame" -note = """## Setup +risk_score = 47 +rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 47 -rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "query" diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index e4b882c8e24..dcb049591fb 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Adversary Behavior - Detected - Elastic Endgame" -note = """## Setup +risk_score = 47 +rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 47 -rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" severity = "medium" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index 4f9721d05dc..be4fefdd97d 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Malware - Detected - Elastic Endgame" -note = """## Setup +risk_score = 99 +rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 99 -rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" severity = "critical" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 20c8c44ad69..9d1fcd226af 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Malware - Prevented - Elastic Endgame" -note = """## Setup +risk_score = 73 +rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 73 -rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" severity = "high" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index 752c3976e56..fa1b2cee462 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Ransomware - Detected - Elastic Endgame" -note = """## Setup +risk_score = 99 +rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 99 -rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" severity = "critical" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 1866b889aa0..5bf0e829581 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Ransomware - Prevented - Elastic Endgame" -note = """## Setup +risk_score = 73 +rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 73 -rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" severity = "high" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index fd0d3cdf429..dcf50f5880e 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Exploit - Detected - Elastic Endgame" -note = """## Setup +risk_score = 73 +rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 73 -rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 7ffb8d61fd6..7b434d47474 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Exploit - Prevented - Elastic Endgame" -note = """## Setup +risk_score = 47 +rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 47 -rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 620027211b3..8de1c2b08e2 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -17,13 +17,13 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "External Alerts" -note = """## Setup - -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" risk_score = 47 rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa" rule_name_override = "message" +setup = """## Setup + +The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. +To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" severity = "medium" tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index a66351b5756..0d545a7739c 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Credential Manipulation - Detected - Elastic Endgame" -note = """## Setup +risk_score = 73 +rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 73 -rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index ca37c8ec2fd..dc887fe8261 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Credential Manipulation - Prevented - Elastic Endgame" -note = """## Setup +risk_score = 47 +rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 47 -rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index 29dcbc7e3d8..b157a920cb5 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Permission Theft - Detected - Elastic Endgame" -note = """## Setup +risk_score = 73 +rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 73 -rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index ec68bf20131..de9abf86a9a 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Permission Theft - Prevented - Elastic Endgame" -note = """## Setup +risk_score = 47 +rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 47 -rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index f546bacb11d..c2cf442f396 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Process Injection - Detected - Elastic Endgame" -note = """## Setup +risk_score = 73 +rule_id = "80c52164-c82a-402c-9964-852533d58be1" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 73 -rule_id = "80c52164-c82a-402c-9964-852533d58be1" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index 7039391bea7..af4b0cf180c 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -19,12 +19,12 @@ language = "kuery" license = "Elastic License v2" max_signals = 10000 name = "Process Injection - Prevented - Elastic Endgame" -note = """## Setup +risk_score = 47 +rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" +setup = """## Setup The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" -risk_score = 47 -rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 8a5e951fde4..a1411133216 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -149,16 +149,16 @@ def build_rule(query, bbr_type="default", from_field="now-120m", interval="60m") def test_max_signals_note(self): """Ensure the max_signals note is present when max_signals > 1000.""" - max_signal_standard_note = 'The `max_signals` field is set to a value greater than the default value (1000) ' \ - 'set by `system_limit`. This is to ensure that all alerts are captured.\n' \ - 'To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` '\ - 'setting in the Kibana config.' + max_signal_standard_setup = 'The `max_signals` field is set to a value greater than the default value (1000) ' \ + 'set by `system_limit`. This is to ensure that all alerts are captured.\n' \ + 'To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` '\ + 'setting in the Kibana config.' for rule in self.all_rules: if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000: - self.assertIsNotNone(rule.contents.data.note, f'{self.rule_str(rule)} note required for max_signals > 1000') # noqa: E501 - if max_signal_standard_note not in rule.contents.data.note: + self.assertIsNotNone(rule.contents.data.setup, f'{self.rule_str(rule)} note required for max_signals > 1000') # noqa: E501 + if max_signal_standard_setup not in rule.contents.data.note: self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n' - f'Expected: {max_signal_standard_note}\n\n' + f'Expected: {max_signal_standard_setup}\n\n' f'Actual: {rule.contents.data.note}') From 54991cd5e28601b14db8487e13c4220f32750f40 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Mon, 13 May 2024 17:01:07 -0500 Subject: [PATCH 4/6] linting --- tests/test_all_rules.py | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index a1411133216..27da7daf3e6 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -155,7 +155,8 @@ def test_max_signals_note(self): 'setting in the Kibana config.' for rule in self.all_rules: if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000: - self.assertIsNotNone(rule.contents.data.setup, f'{self.rule_str(rule)} note required for max_signals > 1000') # noqa: E501 + error_message = f'{self.rule_str(rule)} note required for max_signals > 1000' + self.assertIsNotNone(rule.contents.data.setup, error_message) if max_signal_standard_setup not in rule.contents.data.note: self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n' f'Expected: {max_signal_standard_setup}\n\n' @@ -884,7 +885,8 @@ def test_integration_guide(self): note_str = integration_notes.get(integration) if note_str: - self.assertIsNotNone(rule.contents.data.note, f'{self.rule_str(rule)} note required for config information') # noqa: E501 + error_message = f'{self.rule_str(rule)} note required for config information' + self.assertIsNotNone(rule.contents.data.note, error_message) if note_str not in rule.contents.data.note: self.fail(f'{self.rule_str(rule)} expected {integration} config missing\n\n' From 867f10241c765cbe7fb6b089bb308369e62c6158 Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Mon, 13 May 2024 17:02:05 -0500 Subject: [PATCH 5/6] refactor to setup field --- tests/test_all_rules.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 27da7daf3e6..0d58774efaa 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -157,10 +157,10 @@ def test_max_signals_note(self): if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000: error_message = f'{self.rule_str(rule)} note required for max_signals > 1000' self.assertIsNotNone(rule.contents.data.setup, error_message) - if max_signal_standard_setup not in rule.contents.data.note: + if max_signal_standard_setup not in rule.contents.data.setup: self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n' f'Expected: {max_signal_standard_setup}\n\n' - f'Actual: {rule.contents.data.note}') + f'Actual: {rule.contents.data.setup}') class TestThreatMappings(BaseRuleTest): From 4cfe47de67b5ecc785a9711a5bc3d8924eecc5cb Mon Sep 17 00:00:00 2001 From: Mika Ayenson Date: Tue, 14 May 2024 07:59:45 -0500 Subject: [PATCH 6/6] Update wording to align with #5106 --- .../container_workload_protection.toml | 9 +++++++-- .../endpoint/elastic_endpoint_security.toml | 9 +++++++-- ...al_access_endgame_cred_dumping_detected.toml | 9 +++++++-- ...l_access_endgame_cred_dumping_prevented.toml | 9 +++++++-- .../endgame_adversary_behavior_detected.toml | 9 +++++++-- rules/promotions/endgame_malware_detected.toml | 9 +++++++-- rules/promotions/endgame_malware_prevented.toml | 9 +++++++-- .../promotions/endgame_ransomware_detected.toml | 9 +++++++-- .../endgame_ransomware_prevented.toml | 9 +++++++-- .../execution_endgame_exploit_detected.toml | 9 +++++++-- .../execution_endgame_exploit_prevented.toml | 9 +++++++-- rules/promotions/external_alerts.toml | 9 +++++++-- ...tion_endgame_cred_manipulation_detected.toml | 9 +++++++-- ...ion_endgame_cred_manipulation_prevented.toml | 9 +++++++-- ...ation_endgame_permission_theft_detected.toml | 9 +++++++-- ...tion_endgame_permission_theft_prevented.toml | 9 +++++++-- ...tion_endgame_process_injection_detected.toml | 9 +++++++-- ...ion_endgame_process_injection_prevented.toml | 9 +++++++-- tests/test_all_rules.py | 17 +++++++++++++---- 19 files changed, 139 insertions(+), 40 deletions(-) diff --git a/rules/integrations/cloud_defend/container_workload_protection.toml b/rules/integrations/cloud_defend/container_workload_protection.toml index 504527fdca1..fe0d918514d 100644 --- a/rules/integrations/cloud_defend/container_workload_protection.toml +++ b/rules/integrations/cloud_defend/container_workload_protection.toml @@ -24,8 +24,13 @@ rule_id = "4b4e9c99-27ea-4621-95c8-82341bc6e512" rule_name_override = "message" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Defend for Containers", "Domain: Container"] timestamp_override = "event.ingested" diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml index 5695d413de4..ddc45fe6865 100644 --- a/rules/integrations/endpoint/elastic_endpoint_security.toml +++ b/rules/integrations/endpoint/elastic_endpoint_security.toml @@ -25,8 +25,13 @@ rule_id = "9a1a2dae-0b5f-4c3d-8305-a268d404c306" rule_name_override = "message" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Defend"] timestamp_override = "event.ingested" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml index 416c532ea8e..d643f37fbe6 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_detected.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_detected.toml @@ -23,8 +23,13 @@ risk_score = 73 rule_id = "571afc56-5ed9-465d-a2a9-045f099f6e7e" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "query" diff --git a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml index 09b05bafd9f..08734f9dda1 100644 --- a/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml +++ b/rules/promotions/credential_access_endgame_cred_dumping_prevented.toml @@ -23,8 +23,13 @@ risk_score = 47 rule_id = "db8c33a8-03cd-4988-9e2c-d0a4863adb13" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Credential Access"] type = "query" diff --git a/rules/promotions/endgame_adversary_behavior_detected.toml b/rules/promotions/endgame_adversary_behavior_detected.toml index dcb049591fb..8866e3f788d 100644 --- a/rules/promotions/endgame_adversary_behavior_detected.toml +++ b/rules/promotions/endgame_adversary_behavior_detected.toml @@ -23,8 +23,13 @@ risk_score = 47 rule_id = "77a3c3df-8ec4-4da4-b758-878f551dee69" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_malware_detected.toml b/rules/promotions/endgame_malware_detected.toml index be4fefdd97d..c8865ab255e 100644 --- a/rules/promotions/endgame_malware_detected.toml +++ b/rules/promotions/endgame_malware_detected.toml @@ -23,8 +23,13 @@ risk_score = 99 rule_id = "0a97b20f-4144-49ea-be32-b540ecc445de" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_malware_prevented.toml b/rules/promotions/endgame_malware_prevented.toml index 9d1fcd226af..22c4fdbc579 100644 --- a/rules/promotions/endgame_malware_prevented.toml +++ b/rules/promotions/endgame_malware_prevented.toml @@ -23,8 +23,13 @@ risk_score = 73 rule_id = "3b382770-efbb-44f4-beed-f5e0a051b895" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_ransomware_detected.toml b/rules/promotions/endgame_ransomware_detected.toml index fa1b2cee462..58870383f83 100644 --- a/rules/promotions/endgame_ransomware_detected.toml +++ b/rules/promotions/endgame_ransomware_detected.toml @@ -23,8 +23,13 @@ risk_score = 99 rule_id = "8cb4f625-7743-4dfb-ae1b-ad92be9df7bd" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "critical" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/endgame_ransomware_prevented.toml b/rules/promotions/endgame_ransomware_prevented.toml index 5bf0e829581..f8509c3a851 100644 --- a/rules/promotions/endgame_ransomware_prevented.toml +++ b/rules/promotions/endgame_ransomware_prevented.toml @@ -23,8 +23,13 @@ risk_score = 73 rule_id = "e3c5d5cb-41d5-4206-805c-f30561eae3ac" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame"] type = "query" diff --git a/rules/promotions/execution_endgame_exploit_detected.toml b/rules/promotions/execution_endgame_exploit_detected.toml index dcf50f5880e..fff5c779778 100644 --- a/rules/promotions/execution_endgame_exploit_detected.toml +++ b/rules/promotions/execution_endgame_exploit_detected.toml @@ -23,8 +23,13 @@ risk_score = 73 rule_id = "2003cdc8-8d83-4aa5-b132-1f9a8eb48514" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/execution_endgame_exploit_prevented.toml b/rules/promotions/execution_endgame_exploit_prevented.toml index 7b434d47474..b9e85a7bde9 100644 --- a/rules/promotions/execution_endgame_exploit_prevented.toml +++ b/rules/promotions/execution_endgame_exploit_prevented.toml @@ -23,8 +23,13 @@ risk_score = 47 rule_id = "2863ffeb-bf77-44dd-b7a5-93ef94b72036" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Execution", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/external_alerts.toml b/rules/promotions/external_alerts.toml index 8de1c2b08e2..8f657c450fb 100644 --- a/rules/promotions/external_alerts.toml +++ b/rules/promotions/external_alerts.toml @@ -22,8 +22,13 @@ rule_id = "eb079c62-4481-4d6e-9643-3ca499df7aaa" rule_name_override = "message" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["OS: Windows", "Data Source: APM", "OS: macOS", "OS: Linux"] timestamp_override = "event.ingested" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml index 0d545a7739c..caef5f6abe9 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_detected.toml @@ -23,8 +23,13 @@ risk_score = 73 rule_id = "c0be5f31-e180-48ed-aa08-96b36899d48f" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml index dc887fe8261..b9ddee16d41 100644 --- a/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_cred_manipulation_prevented.toml @@ -23,8 +23,13 @@ risk_score = 47 rule_id = "c9e38e64-3f4c-4bf3-ad48-0e61a60ea1fa" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml index b157a920cb5..0a81cdd2fe7 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_detected.toml @@ -23,8 +23,13 @@ risk_score = 73 rule_id = "c3167e1b-f73c-41be-b60b-87f4df707fe3" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml index de9abf86a9a..5c4cd362f22 100644 --- a/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_permission_theft_prevented.toml @@ -23,8 +23,13 @@ risk_score = 47 rule_id = "453f659e-0429-40b1-bfdb-b6957286e04b" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml index c2cf442f396..430a3a2c8ae 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_detected.toml @@ -23,8 +23,13 @@ risk_score = 73 rule_id = "80c52164-c82a-402c-9964-852533d58be1" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "high" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml index af4b0cf180c..3451dafac36 100644 --- a/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml +++ b/rules/promotions/privilege_escalation_endgame_process_injection_prevented.toml @@ -23,8 +23,13 @@ risk_score = 47 rule_id = "990838aa-a953-4f3e-b3cb-6ddf7584de9e" setup = """## Setup -The `max_signals` field is set to a value greater than the default value (1000) set by `system_limit`. This is to ensure that all alerts are captured. -To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` setting in the Kibana config.""" +This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible. + +**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher. + +To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly. + +**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.""" severity = "medium" tags = ["Data Source: Elastic Endgame", "Use Case: Threat Detection", "Tactic: Privilege Escalation"] type = "query" diff --git a/tests/test_all_rules.py b/tests/test_all_rules.py index 0d58774efaa..97edd6f70ac 100644 --- a/tests/test_all_rules.py +++ b/tests/test_all_rules.py @@ -149,10 +149,19 @@ def build_rule(query, bbr_type="default", from_field="now-120m", interval="60m") def test_max_signals_note(self): """Ensure the max_signals note is present when max_signals > 1000.""" - max_signal_standard_setup = 'The `max_signals` field is set to a value greater than the default value (1000) ' \ - 'set by `system_limit`. This is to ensure that all alerts are captured.\n' \ - 'To bypass this default, configure the `xpack.alerting.rules.run.alerts.max` '\ - 'setting in the Kibana config.' + max_signal_standard_setup = 'This rule is configured to generate more **Max alerts per run** than the ' \ + 'default 1000 alerts per run set for all rules. This is to ensure that it ' \ + "captures as many alerts as possible.\n\n**IMPORTANT:** The rule's " \ + '**Max alerts per run** setting can be superseded by the ' \ + '`xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines ' \ + 'the maximum alerts generated by _any_ rule in the Kibana alerting framework. ' \ + 'For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule ' \ + 'will still generate no more than 1000 alerts even if its own **Max alerts per ' \ + 'run** is set higher.\n\nTo make sure this rule can generate as many alerts as ' \ + "it's configured in its own **Max alerts per run** setting, increase the " \ + '`xpack.alerting.rules.run.alerts.max` system setting accordingly.\n\n**NOTE:** ' \ + 'Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless ' \ + 'projects.' for rule in self.all_rules: if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000: error_message = f'{self.rule_str(rule)} note required for max_signals > 1000'