IMPORTANT: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
current release documentation.
My First Rule
editMy First Rule
editThis rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity.
Rule type: threshold
Rule indices:
- apm--transaction
- auditbeat-*
- endgame-*
- filebeat-*
- logs-*
- packetbeat-*
- traces-apm*
- winlogbeat-*
- -elastic-cloud-logs-
Severity: low
Risk score: 21
Runs every: 24h
Searches indices from: now-24h (Date Math format, see also Additional look-back time
)
Maximum alerts per execution: 1
References:
Tags:
- Use Case: Guided Onboarding
- Data Source: APM
- OS: Windows
- Data Source: Elastic Endgame
Version: 2
Rule authors:
- Elastic
Rule license: Elastic License v2
Investigation guide
editThis is a test alert. This alert does not show threat activity. Elastic created this alert to help you understand how alerts work. For normal rules, the Investigation Guide will help analysts investigate alerts. This alert will show once every 24 hours for each host. It is safe to disable this rule.
Rule query
editevent.kind:event