IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
« Multiple Vault Web Credentials Read NTDS or SAM Database File Copied »
Elastic Docs Elastic Security Solution [8.8] Detections and alerts Prebuilt rule reference

My First Rule

edit

My First Rule

edit

This rule helps you test and practice using alerts with Elastic Security as you get set up. It’s not a sign of threat activity.

Rule type: threshold

Rule indices:

  • apm--transaction
  • auditbeat-*
  • endgame-*
  • filebeat-*
  • logs-*
  • packetbeat-*
  • traces-apm*
  • winlogbeat-*
  • -elastic-cloud-logs-

Severity: low

Risk score: 21

Runs every: 24h

Searches indices from: now-24h (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 1

References:

Tags:

  • Use Case: Guided Onboarding
  • Data Source: APM
  • OS: Windows
  • Data Source: Elastic Endgame

Version: 2

Rule authors:

  • Elastic

Rule license: Elastic License v2

Investigation guide

edit
This is a test alert.

This alert does not show threat activity. Elastic created this alert to help you understand how alerts work.

For normal rules, the Investigation Guide will help analysts investigate alerts.

This alert will show once every 24 hours for each host. It is safe to disable this rule.

Rule query

edit
event.kind:event
« Multiple Vault Web Credentials Read NTDS or SAM Database File Copied »