Skip to content

Commit 1cc060c

Browse files
eric-forte-elasticeric-forte-elastic
committed
revert email change
1 parent 82606e8 commit 1cc060c

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

detection_rules/etc/custom-consolidated-rules.ndjson

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -4,7 +4,7 @@
44
{"id":"45241dcf-1bb2-41eb-8e91-89741af275c0","updated_at":"2025-08-18T03:43:41.240Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.317Z","created_by":"841510929","name":"test_eql_rule","tags":["EQL","Windows","rundll32.exe"],"interval":"5m","enabled":true,"revision":1,"description":"Unusual rundll32.exe network connection","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"2cc8f325-e1b1-4201-8b8d-88a51c94992b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"event.type","type":"keyword","ecs":true},{"name":"process.args","type":"keyword","ecs":true},{"name":"process.args_count","type":"long","ecs":true},{"name":"process.entity_id","type":"keyword","ecs":true},{"name":"process.name","type":"keyword","ecs":true},{"name":"process.pe.original_file_name","type":"keyword","ecs":true}],"setup":"None","type":"eql","language":"eql","index":["logs-*"],"query":"sequence by process.entity_id with maxspan=2h [process where event.type in (\"start\", \"process_started\") and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\") and ((process.args == \"rundll32.exe\" and process.args_count == 1) or (process.args != \"rundll32.exe\" and process.args_count == 0))] [network where event.type == \"connection\" and (process.name == \"rundll32.exe\" or process.pe.original_file_name == \"rundll32.exe\")]\n","filters":[],"actions":[]}
55
{"id":"11d7b970-0076-4ae1-b328-16d6778489f2","updated_at":"2025-08-18T03:45:34.509Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.308Z","created_by":"841510929","name":"test_esql_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Find Excel events","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"7e0f6dae-5847-465f-89e9-a6de0e9ef918","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"process.parent.name","type":"keyword","ecs":true}],"setup":"None","type":"esql","language":"esql","query":"from auditbeat-* METADATA _id, _version, _index | KEEP process.parent.name | where process.parent.name == \"EXCEL.EXE\"\n","actions":[]}
66
{"id":"72abd101-fe39-43f0-a6d1-e9a373684cab","updated_at":"2025-08-18T03:46:00.515Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.334Z","created_by":"841510929","name":"test_new_terms_rule_with_shared_rule_exception","tags":[],"interval":"5m","enabled":true,"revision":2,"description":"Detects a user associated with a new IP address","risk_score":0,"severity":"medium","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"2390c9dd-ad90-4af6-97a4-1d607ba0f092","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","type":"detection","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"user.id","type":"keyword","ecs":true},{"name":"source.ip","type":"ip","ecs":true}],"setup":"None","type":"new_terms","query":"host.name:prml-19 and event.category:authentication and event.outcome:failure\n","new_terms_fields":["user.id","source.ip"],"history_window_start":"now-30d","index":["auditbeat*"],"filters":[],"language":"kuery","actions":[]}
7-
{"id":"2294573b-7afc-460d-b512-d119fe6f861e","rule_id":"4c589d81-2622-4036-8cc7-372ea8f0e038","name":"test_indicator_match_rule_with_email_actions","immutable":false,"rule_source":{"type":"internal"},"version":1,"revision":1,"updated_at":"2025-10-29T15:29:49.728Z","updated_by":"3610252053","created_at":"2025-10-29T15:29:07.740Z","created_by":"3610252053","enabled":true,"interval":"5m","from":"now-6m","to":"now","description":"Checks for bad IP addresses listed in the ip-threat-list index","tags":[],"author":["841510929"],"license":"","threat":[],"related_integrations":[],"required_fields":[{"name":"destination.ip","type":"ip","ecs":true},{"name":"destination.port","type":"long","ecs":true},{"name":"host.ip","type":"ip","ecs":true}],"setup":"None","note":"None","false_positives":[],"references":[],"risk_score":0,"risk_score_mapping":[],"severity":"medium","severity_mapping":[],"output_index":"","max_signals":100,"exceptions_list":[],"actions":[{"id":"Elastic-Cloud-SMTP","params":{"message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts","to":["[email protected]"],"subject":"Test Actions"},"action_type_id":".email","uuid":"98de9d3f-87e9-468a-b656-26f8c2f64c00","frequency":{"summary":true,"notifyWhen":"onActiveAlert","throttle":null},"group":"default"}],"meta":{"kibana_siem_app_url":""},"type":"threat_match","language":"kuery","index":["packetbeat-*"],"query":"destination.ip:* or host.ip:*\n","filters":[],"threat_filters":[],"threat_query":"*:*","threat_mapping":[{"entries":[{"field":"destination.ip","type":"mapping","value":"destination.ip"},{"field":"destination.port","type":"mapping","value":"destination.port"}]},{"entries":[{"field":"source.ip","type":"mapping","value":"host.ip"}]}],"threat_language":"kuery","threat_index":["ip-threat-list"],"threat_indicator_path":"threat.indicator"}
7+
{"id":"e0e31a34-2e18-40c0-af09-539021e8439d","updated_at":"2025-08-18T03:47:21.590Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.344Z","created_by":"841510929","name":"test_indicator_match_rule_with_email_actions","tags":[],"interval":"5m","enabled":true,"revision":5,"description":"Checks for bad IP addresses listed in the ip-threat-list index","risk_score":0,"severity":"medium","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"4c589d81-2622-4036-8cc7-372ea8f0e038","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"destination.ip","type":"ip","ecs":true},{"name":"destination.port","type":"long","ecs":true},{"name":"host.ip","type":"ip","ecs":true}],"setup":"None","type":"threat_match","language":"kuery","index":["packetbeat-*"],"query":"destination.ip:* or host.ip:*\n","filters":[],"threat_filters":[],"threat_query":"*:*","threat_mapping":[{"entries":[{"field":"destination.ip","type":"mapping","value":"destination.ip"},{"field":"destination.port","type":"mapping","value":"destination.port"}]},{"entries":[{"field":"source.ip","type":"mapping","value":"host.ip"}]}],"threat_language":"kuery","threat_index":["ip-threat-list"],"threat_indicator_path":"threat.indicator","actions":[{"id":"elastic-cloud-email","params":{"message":"Rule {{context.rule.name}} generated {{state.signals_count}} alerts","subject":"Test Actions","to":["[email protected]"]},"action_type_id":".email","uuid":"74c388a4-c94f-4541-bacc-2a1b4c47e768","frequency":{"summary":true,"notifyWhen":"onActiveAlert","throttle":null},"group":"default"}]}
88
{"id":"d46a29ca-9b5b-4cbd-b11f-35c6b59f207b","updated_at":"2025-08-18T03:44:54.407Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.331Z","created_by":"841510929","name":"test_threshold_with_rule_exception","tags":["Brute force"],"interval":"2m","enabled":true,"revision":1,"description":"Detects when there are 20 or more failed login attempts from the same IP address with a 2 minute time frame.","risk_score":0,"severity":"low","note":"None","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-3m","rule_id":"d46a29ca-9b5b-4cbd-b11f-35c6b59f207b","max_signals":100,"risk_score_mapping":[],"severity_mapping":[{"field":"source.geo.city_name","operator":"equals","severity":"low","value":"Manchester"},{"field":"source.geo.city_name","operator":"equals","severity":"medium","value":"London"},{"field":"source.geo.city_name","operator":"equals","severity":"high","value":"Birmingham"},{"field":"source.geo.city_name","operator":"equals","severity":"critical","value":"Wallingford"}],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[{"id":"82395156-8ad2-46c3-be79-1f1a23c0d802","list_id":"0a4124f8-2074-450b-8689-d7dee319c666","type":"rule_default","namespace_type":"single"}],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[{"name":"source.ip","type":"ip","ecs":true}],"setup":"None","type":"threshold","language":"kuery","index":["winlogbeat-*"],"query":"host.name:prml-19 and event.category:authentication and event.outcome:failure\n","filters":[],"threshold":{"field":["source.ip"],"value":20,"cardinality":[]},"actions":[]}
99
{"id":"8a3296e2-4a74-4d51-b819-8d4e58377bf7","updated_at":"2025-08-18T03:48:19.634Z","updated_by":"841510929","created_at":"2025-08-14T13:09:02.415Z","created_by":"841510929","name":"test_machine_learning_rule_with_index_action_connector ","tags":["machine learning","Linux"],"interval":"5m","enabled":true,"revision":5,"description":"Generates alerts when the job discovers anomalies over 70","risk_score":0,"severity":"high","note":"Shut down the internet.","license":"","output_index":"","meta":{"kibana_siem_app_url":""},"author":["841510929"],"false_positives":[],"from":"now-6m","rule_id":"8a3296e2-4a74-4d51-b819-8d4e58377bf7","max_signals":100,"risk_score_mapping":[],"severity_mapping":[],"threat":[],"to":"now","references":[],"version":1,"exceptions_list":[],"immutable":false,"rule_source":{"type":"internal"},"related_integrations":[],"required_fields":[],"setup":"This rule requires data coming in from Elastic Defend.","type":"machine_learning","anomaly_threshold":70,"machine_learning_job_id":["linux_anomalous_network_activity_ecs"],"actions":[{"id":"e1b418e7-78df-4042-bfb0-1cc5fb6f7a4e","params":{"documents":[{"rule.id":"{{rule.id}}"}]},"action_type_id":".index","uuid":"175f50f8-3bc1-4017-805f-e532d7eb2f91","frequency":{"summary":true,"notifyWhen":"onActiveAlert","throttle":null},"group":"default"}]}
1010
{"_version":"WzE3NjU1LDhd","created_at":"2025-08-14T12:42:04.522Z","created_by":"841510929","description":"","id":"5c6a49d5-b3f1-42f7-b484-1a36462f3e06","immutable":false,"list_id":"1c8a1378-8f0d-4565-9ae0-abeeaf3981ca","name":"Test Excpetion List","namespace_type":"single","os_types":[],"tags":[],"tie_breaker_id":"14b3565d-0c8a-48db-b76a-e46c01574a57","type":"detection","updated_at":"2025-08-14T12:42:04.522Z","updated_by":"841510929","version":1}

0 commit comments

Comments
 (0)