Skip to content

[New Rules] External Promotion Alerts #4903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
wants to merge 2 commits into
base: main
Choose a base branch
from
Draft

[New Rules] External Promotion Alerts #4903

wants to merge 2 commits into from

Conversation

Mikaayenson
Copy link
Contributor

@Mikaayenson Mikaayenson commented Jul 11, 2025
edited
Loading

Pull Request

Issue link(s):

Summary - What I changed

How To Test

  • Some initial testing occurred by shipping a beta package to test the new incoming features.
  • Double check the requirements referenced in the issue (otherwise unit tests should pass)
    • index
    • overrides
    • query
    • severity mappings

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

@Mikaayenson Mikaayenson self-assigned this Jul 11, 2025
@Mikaayenson Mikaayenson added the Rule: New Proposal for new rule label Jul 11, 2025
@github-actions GitHub Actions
Copy link
Contributor

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.

@tradebot-elastic
Copy link

tradebot-elastic commented Jul 11, 2025
edited
Loading

⛔️ Test failed

Results
  • ❌ Google SecOps External Alerts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Elastic Security External Alerts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Microsoft Sentinel External Alerts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ SentinelOne External Alerts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ CrowdStrike External Alerts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta
  • ❌ Splunk External Alerts (kuery)
    • coverage_issue: no_rta
    • stack_validation_failed: no_rta

Mikaayenson
Mikaayenson commented Jul 11, 2025
View reviewed changes
detection_rules/schemas/definitions.py
@@ -154,6 +154,7 @@ def validator_wrapper(value: Any) -> Any:
"OS: Linux",
"OS: macOS",
"OS: Windows",
"Promotion: External Alerts",
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peluja1012 @xcrzx any concern with extending the tag to fit our unit tests?

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just need to support it in Kibana. Should be an easy change. I'll post here once I've merged it.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Mikaayenson, the PR was merged: elastic/kibana#228232

Mikaayenson
Mikaayenson commented Jul 11, 2025
View reviewed changes
rules/promotions/crowdstrike_external_alerts.toml
references = ["https://docs.elastic.co/en/integrations/crowdstrike"]
risk_score = 47
rule_id = "aeebe561-c338-4118-9924-8cb4e478aa58"
rule_name_override = "message"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peluja1012 the spec on the issue says Rule name override should be set to rule.name, but the data and export has message

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Mikaayenson, message works.

@Mikaayenson Mikaayenson requested a review from Samirbous July 11, 2025 22:08
approksiu
approksiu reviewed Jul 14, 2025
View reviewed changes
Copy link

@approksiu approksiu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, If we use tag "Promotion: External Alerts" tag, let's also update the "External Alerts" rule tag.

@xcrzx xcrzx mentioned this pull request Jul 16, 2025
Merged
Samirbous
Samirbous approved these changes Jul 18, 2025
View reviewed changes
rules/promotions/crowdstrike_external_alerts.toml

To capture CrowdStrike alerts, install and configure the CrowdStrike integration to ingest alert events into the `logs-crowdstrike.alert-*` index pattern.

If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same CrowdStrike events. To avoid this, disable the External Alerts rule when using this one.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

disabling External Alerts will turn off all external alerts (impact other datasources), instead maybe replace it with Consider adding a rule exception for the External Alert rule to exclude event.module:crowdstrike

rules/promotions/elastic_security_external_alerts.toml

To capture Elastic Security alerts, install and configure the Elastic Security integration to ingest alert events into the `logs-elastic_security.alert-*` index pattern.

If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Elastic Security events. To avoid this, disable the External Alerts rule when using this one.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above Consider adding a rule exception for the External Alert rule to exclude event.module:elastic_security

rules/promotions/google_secops_external_alerts.toml

To capture Google SecOps alerts, install and configure the Google SecOps integration to ingest alert events into the `logs-google_secops.alert-*` index pattern.

If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SecOps events. To avoid this, disable the External Alerts rule when using this one.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above event.module:google_secops

rules/promotions/microsoft_sentinel_external_alerts.toml

To capture Microsoft Sentinel alerts, install and configure the Microsoft Sentinel integration to ingest alert events into the `logs-microsoft_sentinel.alert-*` index pattern.

If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Sentinel events. To avoid this, disable the External Alerts rule when using this one.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above consider adding a rule exception for the External Alert rule to exclude event.module:microsoft_sentinel to avoid receiving duplicate alerts from same integration ....

rules/promotions/sentinelone_external_alerts.toml

To capture SentinelOne alerts, install and configure the SentinelOne integration to ingest alert events into the `logs-sentinel_one.alert-*` index pattern.

If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SentinelOne events. To avoid this, disable the External Alerts rule when using this one.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above.

rules/promotions/splunk_external_alerts.toml

To capture Splunk alerts, install and configure the Splunk integration to ingest alert events into the `logs-splunk.alert-*` index pattern.

If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Splunk events. To avoid this, disable the External Alerts rule when using this one.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same as above.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xcrzx xcrzx xcrzx left review comments

@approksiu approksiu approksiu left review comments

@Samirbous Samirbous Samirbous approved these changes

@peluja1012 peluja1012 Awaiting requested review from peluja1012

@jamesspi jamesspi Awaiting requested review from jamesspi

@w0rk3r w0rk3r Awaiting requested review from w0rk3r

@eric-forte-elastic eric-forte-elastic Awaiting requested review from eric-forte-elastic eric-forte-elastic will be requested when the pull request is marked ready for review eric-forte-elastic is a code owner

@traut traut Awaiting requested review from traut traut will be requested when the pull request is marked ready for review traut is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

@Mikaayenson Mikaayenson

Labels
patch Rule: New Proposal for new rule
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@Mikaayenson @tradebot-elastic @peluja1012 @xcrzx @approksiu @Samirbous