Skip to content

[New Rules] External Promotion Alerts #4903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions detection_rules/schemas/definitions.py
Original file line number Diff line number Diff line change
Expand Up @@ -154,6 +154,7 @@ def validator_wrapper(value: Any) -> Any:
"OS: Linux",
"OS: macOS",
"OS: Windows",
"Promotion: External Alerts",
"Rule Type: BBR",
"Resources: Investigation Guide",
"Rule Type: Higher-Order Rule",
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.3.14"
version = "1.3.15"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
Expand Down
106 changes: 106 additions & 0 deletions rules/promotions/crowdstrike_external_alerts.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
[metadata]
creation_date = "2025/08/05"
integration = ["crowdstrike"]
maturity = "production"
promotion = true
min_stack_version = "8.18.0"
min_stack_comments = "Introduced support for CrowdStrike alert promotion"
updated_date = "2025/08/05"

[rule]
author = ["Elastic"]
description = """
Generates a detection alert for each CrowdStrike alert written to the configured indices. Enabling this rule allows you
to immediately begin investigating CrowdStrike alerts in the app.
"""
from = "now-2m"
index = ["logs-crowdstrike.alert-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 1000
name = "CrowdStrike External Alerts"
note = """## Triage and analysis

### Investigating CrowdStrike External Alerts

CrowdStrike Falcon is a cloud-native endpoint protection platform that delivers real-time threat detection and response capabilities. The 'Behavior - Detected - CrowdStrike Alerts' rule captures security alerts generated by Falcon and enables analysts to investigate threats rapidly based on behavioral indicators and threat intelligence.

### Possible investigation steps

- Review the associated process, file path, and command line to determine whether the activity is legitimate or suspicious.
- Investigate the user account and host involved in the alert to validate whether the activity was authorized.
- Cross-reference the alert with CrowdStrike Falcon console for additional context, including process tree, behavioral tags, and threat intelligence matches.
- Check for any related alerts from the same host, user, or file hash to identify whether this is part of a larger attack chain.
- Consult the Crowdstrike investigation guide and resources tagged in the alert for specific guidance on handling similar threats.

### False positive analysis

- Alerts involving known and trusted software tools (e.g., remote administration tools) may be false positives. Confirm intent before excluding.
- Security assessments or penetration testing activities might mimic real threats. Validate the activity with responsible teams.
- Scheduled jobs, IT scripts, or automation tools may trigger alerts if they behave similarly to malicious code.
- Review alerts based on detection confidence levels and behavioral scoring to filter out low-confidence or known-benign triggers.

### Response and remediation

- Isolate affected endpoints to prevent lateral movement if malicious behavior is confirmed.
- Quarantine any identified malicious files and block related hashes or domains.
- Investigate how the threat entered the environment and close any exploited vulnerabilities.
- Reset credentials for compromised user accounts or escalate to incident response.
- Review CrowdStrike Falcon policies and detections to fine-tune future alerting and response coverage.
- Document the findings and update detection logic or exceptions accordingly.
"""
references = ["https://docs.elastic.co/en/integrations/crowdstrike"]
risk_score = 47
rule_id = "aeebe561-c338-4118-9924-8cb4e478aa58"
rule_name_override = "message"
setup = """## Setup

### CrowdStrike Alert Integration
This rule is designed to capture alert events generated by the CrowdStrike integration and promote them as Elastic detection alerts.

To capture CrowdStrike alerts, install and configure the CrowdStrike integration to ingest alert events into the `logs-crowdstrike.alert-*` index pattern.

If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same CrowdStrike events. Consider adding a rule exception for the External Alert rule to exclude event.dataset:crowdstrike.alert to avoid receiving duplicate alerts.

### Additional notes

For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "medium"
tags = ["Data Source: CrowdStrike", "Use Case: Threat Detection", "Resources: Investigation Guide", "Promotion: External Alerts"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.kind: alert and event.dataset: crowdstrike.alert
'''

[[rule.risk_score_mapping]]
field = "crowdstrike.alert.incident.score"
operator = "equals"
value = ""

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "low"
value = "21"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "medium"
value = "47"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "high"
value = "73"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "critical"
value = "99"
110 changes: 110 additions & 0 deletions rules/promotions/elastic_security_external_alerts.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
[metadata]
creation_date = "2025/08/05"
integration = ["elastic_security"]
maturity = "production"
promotion = true
min_stack_version = "8.18.0"
min_stack_comments = "Introduced support for Elastic Security alert promotion"
updated_date = "2025/08/05"

[rule]
author = ["Elastic"]
description = """
Generates a detection alert for each Elastic Security alert written to the configured indices. Enabling this rule
allows you to immediately begin investigating Elastic Security alerts in the app.
"""
from = "now-2m"
index = ["logs-elastic_security.alert-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 1000
name = "Elastic Security External Alerts"
note = """
## Triage and analysis

### Investigating Elastic Security External Alerts

Elastic Security is a comprehensive security platform that provides real-time visibility into your environment, helping you detect and respond to threats effectively. The 'Behavior - Detected - Elastic Security Alerts' rule identifies such threats by monitoring specific alert events, enabling analysts to swiftly investigate and mitigate potential security incidents.

### Possible investigation steps

- Correlate the alert with recent activity on the affected endpoint to identify any unusual or suspicious behavior patterns.
- Check for any additional alerts or logs related to the same endpoint or user to determine if this is part of a broader attack or isolated incident.
- Investigate the source and destination IP addresses involved in the alert to assess if they are known to be malicious or associated with previous threats.
- Analyze any files or processes flagged in the alert to determine if they are legitimate or potentially malicious, using threat intelligence sources if necessary.
- Consult the Elastic Security investigation guide and resources tagged in the alert for specific guidance on handling similar threats.

### False positive analysis

- Alerts triggered by routine software updates or patches can be false positives. Review the context of the alert to determine if it aligns with scheduled maintenance activities.
- Legitimate administrative tools or scripts may trigger alerts. Identify and whitelist these tools if they are verified as non-threatening.
- Frequent alerts from known safe applications or processes can be excluded by creating exceptions for these specific behaviors in the Elastic Security configuration.
- Network scanning or monitoring tools used by IT teams might be flagged. Ensure these tools are documented and excluded from triggering alerts if they are part of regular operations.
- User behavior that is consistent with their role but triggers alerts should be reviewed. If deemed non-malicious, adjust the rule to exclude these specific user actions.

### Response and remediation

- Isolate the affected endpoint immediately to prevent lateral movement and further compromise within the network.
- Analyze the specific alert details to identify the nature of the threat and any associated indicators of compromise (IOCs).
- Remove or quarantine any malicious files or processes identified by the Elastic Security alert to neutralize the threat.
- Apply relevant security patches or updates to address any exploited vulnerabilities on the affected endpoint.
- Conduct a thorough scan of the network to identify any additional endpoints that may have been compromised or are exhibiting similar behavior.
- Document the incident and escalate to the appropriate security team or management if the threat is part of a larger attack campaign or if additional resources are needed for remediation.
- Review and update endpoint protection policies and configurations to enhance detection and prevention capabilities against similar threats in the future.
"""
references = ["https://docs.elastic.co/en/integrations/elastic_security"]
risk_score = 47
rule_id = "720fc1aa-e195-4a1d-81d8-04edfe5313ed"
rule_name_override = "rule.name"
setup = """## Setup

### Elastic Security Alert Integration
This rule is designed to capture alert events generated by the Elastic Security integration and promote them as Elastic detection alerts.

To capture Elastic Security alerts, install and configure the Elastic Security integration to ingest alert events into the `logs-elastic_security.alert-*` index pattern.

If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same Elastic Security events. Consider adding a rule exception for the External Alert rule to exclude event.dataset:elastic_security.alert to avoid receiving duplicate alerts.

### Additional notes

For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "medium"
tags = ["Data Source: Elastic Security", "Use Case: Threat Detection", "Resources: Investigation Guide", "Promotion: External Alerts"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.kind: alert and event.dataset: elastic_security.alert
'''


[[rule.risk_score_mapping]]
field = "event.risk_score"
operator = "equals"
value = ""

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "low"
value = "21"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "medium"
value = "47"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "high"
value = "73"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "critical"
value = "99"
110 changes: 110 additions & 0 deletions rules/promotions/google_secops_external_alerts.toml
Original file line number Diff line number Diff line change
@@ -0,0 +1,110 @@
[metadata]
creation_date = "2025/08/05"
integration = ["google_secops"]
maturity = "production"
promotion = true
min_stack_version = "8.18.0"
min_stack_comments = "Introduced support for Google SecOps alert promotion"
updated_date = "2025/08/05"

[rule]
author = ["Elastic"]
description = """
Generates a detection alert for each Google SecOps alert written to the configured indices. Enabling this rule allows
you to immediately begin investigating Google SecOps alerts in the app.
"""
from = "now-2m"
index = ["logs-google_secops.alert-*"]
interval = "1m"
language = "kuery"
license = "Elastic License v2"
max_signals = 1000
name = "Google SecOps External Alerts"
note = """Triage and analysis

### Investigating Google SecOps External Alerts

Google SecOps provides a robust framework for monitoring and managing security operations within cloud environments. The detection rule leverages specific event identifiers to flag suspicious alerts, enabling analysts to swiftly investigate potential threats and mitigate risks.

### Possible investigation steps

- Examine the timeline of events leading up to and following the alert to identify any unusual patterns or activities that may indicate malicious behavior.
- Cross-reference the alert with other security logs and alerts to determine if it is part of a broader attack pattern or isolated incident.
- Investigate the source and destination IP addresses involved in the alert to assess their legitimacy and check for any known malicious activity associated with them.
- Analyze user activity associated with the alert to identify any unauthorized access or privilege escalation attempts.
- Consult the Google SecOps investigation guide and resources tagged in the alert for specific guidance on handling similar threats.

### False positive analysis

- Alerts triggered by routine administrative actions can be false positives. Review the context of the alert to determine if it aligns with known maintenance activities.
- Automated scripts or tools that interact with Google SecOps may generate alerts. Identify these scripts and consider creating exceptions for their expected behavior.
- Frequent alerts from specific IP addresses or user accounts that are known to be secure can be excluded by adding them to an allowlist.
- Alerts resulting from testing or development environments should be reviewed and, if deemed non-threatening, excluded from triggering further alerts.
- Regularly update and review exception lists to ensure they reflect current non-threatening behaviors and do not inadvertently exclude genuine threats.

### Response and remediation

- Immediately isolate affected systems or accounts identified in the Google SecOps alert to prevent further unauthorized access or data exfiltration.
- Conduct a thorough review of the alert details to identify any compromised credentials or access tokens and reset them promptly.
- Implement network segmentation or access control measures to limit the spread of potential threats within the environment.
- Review and update firewall rules and security group settings to block any suspicious IP addresses or domains associated with the alert.
- Escalate the incident to the security operations center (SOC) or incident response team for further analysis and to determine if additional resources are needed.
- Document the incident, including all actions taken, and update incident response plans to incorporate lessons learned from this event.
- Enhance monitoring and detection capabilities by tuning existing alerts and deploying additional rules to detect similar activities in the future.
"""
references = ["https://docs.elastic.co/en/integrations/google_secops"]
risk_score = 47
rule_id = "70558fd5-6448-4c65-804a-8567ce02c3a2"
rule_name_override = "google_secops.alert.detection.ruleName"
setup = """## Setup

### Google SecOps Alert Integration
This rule is designed to capture alert events generated by the Google SecOps integration and promote them as Elastic detection alerts.

To capture Google SecOps alerts, install and configure the Google SecOps integration to ingest alert events into the `logs-google_secops.alert-*` index pattern.

If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SecOps events. Consider adding a rule exception for the External Alert rule to exclude event.dataset:google_secops.alert to avoid receiving duplicate alerts.

### Additional notes

For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "medium"
tags = ["Data Source: Google SecOps", "Use Case: Threat Detection", "Resources: Investigation Guide", "Promotion: External Alerts"]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.kind: alert and event.dataset: google_secops.alert
'''

[[rule.risk_score_mapping]]
field = "event.risk_score"
operator = "equals"
value = ""

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "low"
value = "21"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "medium"
value = "47"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "high"
value = "73"

[[rule.severity_mapping]]
field = "event.severity"
operator = "equals"
severity = "critical"
value = "99"


Loading
Loading