Endpoint Security
editEndpoint Security
editGenerates a detection alert each time an Elastic Endpoint Security alert is received. Enabling this rule allows you to immediately begin investigating your Endpoint alerts.
Rule type: query
Rule indices:
- logs-endpoint.alerts-*
Severity: medium
Risk score: 47
Runs every: 5m
Searches indices from: now-10m (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 10000
References: None
Tags:
- Data Source: Elastic Defend
Version: 103
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editSetup
This rule is configured to generate more Max alerts per run than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
IMPORTANT: The rule’s Max alerts per run setting can be superseded by the xpack.alerting.rules.run.alerts.max
Kibana config setting, which determines the maximum alerts generated by any rule in the Kibana alerting framework. For example, if xpack.alerting.rules.run.alerts.max
is set to 1000, this rule will still generate no more than 1000 alerts even if its own Max alerts per run is set higher.
To make sure this rule can generate as many alerts as it’s configured in its own Max alerts per run setting, increase the xpack.alerting.rules.run.alerts.max
system setting accordingly.
NOTE: Changing xpack.alerting.rules.run.alerts.max
is not possible in Serverless projects.
Rule query
editevent.kind:alert and event.module:(endpoint and not endgame)