This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« Multiple Vault Web Credentials Read NTDS or SAM Database File Copied »
Elastic Docs Elastic Security Solution [8.16] Detections and alerts Prebuilt rule reference

My First Alert

edit

My First Alert

edit

This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity.

Rule type: threshold

Rule indices:

  • apm--transaction
  • auditbeat-*
  • endgame-*
  • filebeat-*
  • logs-*
  • packetbeat-*
  • traces-apm*
  • winlogbeat-*
  • -elastic-cloud-logs-

Severity: low

Risk score: 21

Runs every: 24 hours

Searches indices from: now-24h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 1

References:

Tags:

  • Elastic
  • Example
  • Guided Onboarding
  • Network
  • APM
  • Windows
  • Elastic Endgame

Version: 1

Added (Elastic Stack release): 8.6.0

Rule authors: Elastic

Rule license: Elastic License v2

Potential false positives

edit

This rule is not looking for threat activity. Disable the rule if you’re already familiar with alerts.

Investigation guide

edit
This is a test alert.

This alert does not show threat activity. Elastic created this alert to help you understand how alerts work.

For normal rules, the Investigation Guide will help analysts investigate alerts.

This alert will show once every 24 hours for each host. It is safe to disable this rule.

Rule query

edit
event.kind:"event"
« Multiple Vault Web Credentials Read NTDS or SAM Database File Copied »