-
Notifications
You must be signed in to change notification settings - Fork 587
[New Rules] External Promotion Alerts #4903
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
Mikaayenson
wants to merge
10
commits into
main
Choose a base branch
from
new_promotion_rules
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
3abbeef
Add initial promotion rules
Mikaayenson 9fe1f5d
Update tags to pass our unit tests
Mikaayenson 0bcb4a9
Update setup guide
Mikaayenson e51208c
Merge branch 'main' into new_promotion_rules
Mikaayenson a3477e4
per integrations team guidance use data_stream.dataset instead of eve…
Mikaayenson e4d77eb
typo
Mikaayenson 10ad55c
lint
Mikaayenson 1a013e8
lint
Mikaayenson 54d58fa
update docs
Mikaayenson 615dbbc
tweak s1 query
Mikaayenson File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,106 @@ | ||
[metadata] | ||
creation_date = "2025/08/05" | ||
integration = ["crowdstrike"] | ||
maturity = "production" | ||
promotion = true | ||
min_stack_version = "8.18.0" | ||
min_stack_comments = "Introduced support for CrowdStrike alert promotion" | ||
updated_date = "2025/08/05" | ||
|
||
[rule] | ||
author = ["Elastic"] | ||
description = """ | ||
Generates a detection alert for each CrowdStrike alert written to the configured indices. Enabling this rule allows you | ||
to immediately begin investigating CrowdStrike alerts in the app. | ||
""" | ||
from = "now-2m" | ||
index = ["logs-crowdstrike.alert-*"] | ||
interval = "1m" | ||
language = "kuery" | ||
license = "Elastic License v2" | ||
max_signals = 1000 | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Any specific reason we set this to 1000? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. consistency with #4556 |
||
name = "CrowdStrike External Alerts" | ||
note = """## Triage and analysis | ||
|
||
### Investigating CrowdStrike External Alerts | ||
|
||
CrowdStrike Falcon is a cloud-native endpoint protection platform that delivers real-time threat detection and response capabilities. The 'Behavior - Detected - CrowdStrike Alerts' rule captures security alerts generated by Falcon and enables analysts to investigate threats rapidly based on behavioral indicators and threat intelligence. | ||
|
||
### Possible investigation steps | ||
|
||
- Review the associated process, file path, and command line to determine whether the activity is legitimate or suspicious. | ||
- Investigate the user account and host involved in the alert to validate whether the activity was authorized. | ||
- Cross-reference the alert with CrowdStrike Falcon console for additional context, including process tree, behavioral tags, and threat intelligence matches. | ||
- Check for any related alerts from the same host, user, or file hash to identify whether this is part of a larger attack chain. | ||
- Consult the Crowdstrike investigation guide and resources tagged in the alert for specific guidance on handling similar threats. | ||
|
||
### False positive analysis | ||
|
||
- Alerts involving known and trusted software tools (e.g., remote administration tools) may be false positives. Confirm intent before excluding. | ||
- Security assessments or penetration testing activities might mimic real threats. Validate the activity with responsible teams. | ||
- Scheduled jobs, IT scripts, or automation tools may trigger alerts if they behave similarly to malicious code. | ||
- Review alerts based on detection confidence levels and behavioral scoring to filter out low-confidence or known-benign triggers. | ||
|
||
### Response and remediation | ||
|
||
- Isolate affected endpoints to prevent lateral movement if malicious behavior is confirmed. | ||
- Quarantine any identified malicious files and block related hashes or domains. | ||
- Investigate how the threat entered the environment and close any exploited vulnerabilities. | ||
- Reset credentials for compromised user accounts or escalate to incident response. | ||
- Review CrowdStrike Falcon policies and detections to fine-tune future alerting and response coverage. | ||
- Document the findings and update detection logic or exceptions accordingly. | ||
""" | ||
references = ["https://docs.elastic.co/en/integrations/crowdstrike"] | ||
risk_score = 47 | ||
rule_id = "aeebe561-c338-4118-9924-8cb4e478aa58" | ||
rule_name_override = "message" | ||
Mikaayenson marked this conversation as resolved.
Show resolved
Hide resolved
|
||
setup = """## Setup | ||
|
||
### CrowdStrike Alert Integration | ||
This rule is designed to capture alert events generated by the CrowdStrike integration and promote them as Elastic detection alerts. | ||
|
||
To capture CrowdStrike alerts, install and configure the CrowdStrike integration to ingest alert events into the `logs-crowdstrike.alert-*` index pattern. | ||
|
||
If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same CrowdStrike events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:crowdstrike.alert to avoid receiving duplicate alerts. | ||
|
||
### Additional notes | ||
|
||
For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). | ||
""" | ||
severity = "medium" | ||
tags = ["Data Source: CrowdStrike", "Use Case: Threat Detection", "Resources: Investigation Guide", "Promotion: External Alerts"] | ||
timestamp_override = "event.ingested" | ||
type = "query" | ||
|
||
query = ''' | ||
event.kind: alert and data_stream.dataset: crowdstrike.alert | ||
''' | ||
|
||
[[rule.risk_score_mapping]] | ||
field = "crowdstrike.alert.incident.score" | ||
operator = "equals" | ||
value = "" | ||
|
||
[[rule.severity_mapping]] | ||
field = "event.severity" | ||
operator = "equals" | ||
severity = "low" | ||
value = "21" | ||
|
||
[[rule.severity_mapping]] | ||
field = "event.severity" | ||
operator = "equals" | ||
severity = "medium" | ||
value = "47" | ||
|
||
[[rule.severity_mapping]] | ||
field = "event.severity" | ||
operator = "equals" | ||
severity = "high" | ||
value = "73" | ||
|
||
[[rule.severity_mapping]] | ||
field = "event.severity" | ||
operator = "equals" | ||
severity = "critical" | ||
value = "99" |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,110 @@ | ||
[metadata] | ||
creation_date = "2025/08/05" | ||
integration = ["elastic_security"] | ||
maturity = "production" | ||
promotion = true | ||
min_stack_version = "8.18.0" | ||
min_stack_comments = "Introduced support for Elastic Security alert promotion" | ||
updated_date = "2025/08/05" | ||
|
||
[rule] | ||
author = ["Elastic"] | ||
description = """ | ||
Generates a detection alert for each Elastic Security alert written to the configured indices. Enabling this rule | ||
allows you to immediately begin investigating Elastic Security alerts in the app. | ||
""" | ||
from = "now-2m" | ||
index = ["logs-elastic_security.alert-*"] | ||
interval = "1m" | ||
language = "kuery" | ||
license = "Elastic License v2" | ||
max_signals = 1000 | ||
name = "Elastic Security External Alerts" | ||
note = """ | ||
## Triage and analysis | ||
|
||
### Investigating Elastic Security External Alerts | ||
|
||
Elastic Security is a comprehensive security platform that provides real-time visibility into your environment, helping you detect and respond to threats effectively. The 'Behavior - Detected - Elastic Security Alerts' rule identifies such threats by monitoring specific alert events, enabling analysts to swiftly investigate and mitigate potential security incidents. | ||
|
||
### Possible investigation steps | ||
|
||
- Correlate the alert with recent activity on the affected endpoint to identify any unusual or suspicious behavior patterns. | ||
- Check for any additional alerts or logs related to the same endpoint or user to determine if this is part of a broader attack or isolated incident. | ||
- Investigate the source and destination IP addresses involved in the alert to assess if they are known to be malicious or associated with previous threats. | ||
- Analyze any files or processes flagged in the alert to determine if they are legitimate or potentially malicious, using threat intelligence sources if necessary. | ||
- Consult the Elastic Security investigation guide and resources tagged in the alert for specific guidance on handling similar threats. | ||
|
||
### False positive analysis | ||
|
||
- Alerts triggered by routine software updates or patches can be false positives. Review the context of the alert to determine if it aligns with scheduled maintenance activities. | ||
- Legitimate administrative tools or scripts may trigger alerts. Identify and whitelist these tools if they are verified as non-threatening. | ||
- Frequent alerts from known safe applications or processes can be excluded by creating exceptions for these specific behaviors in the Elastic Security configuration. | ||
- Network scanning or monitoring tools used by IT teams might be flagged. Ensure these tools are documented and excluded from triggering alerts if they are part of regular operations. | ||
- User behavior that is consistent with their role but triggers alerts should be reviewed. If deemed non-malicious, adjust the rule to exclude these specific user actions. | ||
|
||
### Response and remediation | ||
|
||
- Isolate the affected endpoint immediately to prevent lateral movement and further compromise within the network. | ||
- Analyze the specific alert details to identify the nature of the threat and any associated indicators of compromise (IOCs). | ||
- Remove or quarantine any malicious files or processes identified by the Elastic Security alert to neutralize the threat. | ||
- Apply relevant security patches or updates to address any exploited vulnerabilities on the affected endpoint. | ||
- Conduct a thorough scan of the network to identify any additional endpoints that may have been compromised or are exhibiting similar behavior. | ||
- Document the incident and escalate to the appropriate security team or management if the threat is part of a larger attack campaign or if additional resources are needed for remediation. | ||
- Review and update endpoint protection policies and configurations to enhance detection and prevention capabilities against similar threats in the future. | ||
""" | ||
references = ["https://docs.elastic.co/en/integrations/elastic_security"] | ||
risk_score = 47 | ||
rule_id = "720fc1aa-e195-4a1d-81d8-04edfe5313ed" | ||
rule_name_override = "rule.name" | ||
setup = """## Setup | ||
|
||
### Elastic Security Alert Integration | ||
This rule is designed to capture alert events generated by the Elastic Security integration and promote them as Elastic detection alerts. | ||
|
||
To capture Elastic Security alerts, install and configure the Elastic Security integration to ingest alert events into the `logs-elastic_security.alert-*` index pattern. | ||
|
||
If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Elastic Security events. Consider adding a rule exception for the External Alert rule to exclude data_stream.dataset:elastic_security.alert to avoid receiving duplicate alerts. | ||
|
||
### Additional notes | ||
|
||
For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts). | ||
""" | ||
severity = "medium" | ||
tags = ["Data Source: Elastic Security", "Use Case: Threat Detection", "Resources: Investigation Guide", "Promotion: External Alerts"] | ||
timestamp_override = "event.ingested" | ||
type = "query" | ||
|
||
query = ''' | ||
event.kind: alert and data_stream.dataset: elastic_security.alert | ||
''' | ||
|
||
|
||
[[rule.risk_score_mapping]] | ||
field = "event.risk_score" | ||
operator = "equals" | ||
value = "" | ||
|
||
[[rule.severity_mapping]] | ||
field = "event.severity" | ||
operator = "equals" | ||
severity = "low" | ||
value = "21" | ||
|
||
[[rule.severity_mapping]] | ||
field = "event.severity" | ||
operator = "equals" | ||
severity = "medium" | ||
value = "47" | ||
|
||
[[rule.severity_mapping]] | ||
field = "event.severity" | ||
operator = "equals" | ||
severity = "high" | ||
value = "73" | ||
|
||
[[rule.severity_mapping]] | ||
field = "event.severity" | ||
operator = "equals" | ||
severity = "critical" | ||
value = "99" |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.