[Rule Tuning] AI4DSOC External Promotion Alerts (#4959)

Mikaayenson · tradebot-elastic · commit 386884207072 · 2025-08-04T16:30:10.000Z
(cherry picked from commit 80e44d0)
diff --git a/rules/promotions/crowdstrike_external_alerts.toml b/rules/promotions/crowdstrike_external_alerts.toml
@@ -5,7 +5,7 @@ maturity = "production"
 promotion = true
 min_stack_version = "8.18.0"
 min_stack_comments = "Introduced support for CrowdStrike alert promotion"
-updated_date = "2025/07/31"
+updated_date = "2025/08/04"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ note = """## Triage and analysis
 
 ### Investigating CrowdStrike External Alerts
 
-CrowdStrike Falcon is a cloud-native endpoint protection platform that delivers real-time threat detection and response capabilities. The 'Behavior - Detected - CrowdStrike Alerts' rule captures security alerts generated by Falcon and enables analysts to investigate threats rapidly based on behavioral indicators and threat intelligence.
+CrowdStrike Falcon is a cloud-native endpoint protection platform that delivers real-time threat detection and response capabilities. The rule captures security alerts generated by Falcon and enables analysts to investigate threats rapidly based on behavioral indicators and threat intelligence.
 
 ### Possible investigation steps
 
@@ -53,7 +53,7 @@ CrowdStrike Falcon is a cloud-native endpoint protection platform that delivers
 references = ["https://docs.elastic.co/en/integrations/crowdstrike"]
 risk_score = 47
 rule_id = "aeebe561-c338-4118-9924-8cb4e478aa58"
-rule_name_override = "message"
+rule_name_override = "crowdstrike.alert.name"
 setup = """## Setup
 
 ### CrowdStrike Alert Integration
diff --git a/rules/promotions/elastic_security_external_alerts.toml b/rules/promotions/elastic_security_external_alerts.toml
@@ -5,7 +5,7 @@ maturity = "production"
 promotion = true
 min_stack_version = "8.18.0"
 min_stack_comments = "Introduced support for Elastic Security alert promotion"
-updated_date = "2025/07/31"
+updated_date = "2025/08/04"
 
 [rule]
 author = ["Elastic"]
@@ -25,7 +25,7 @@ note = """
 
 ### Investigating Elastic Security External Alerts
 
-Elastic Security is a comprehensive security platform that provides real-time visibility into your environment, helping you detect and respond to threats effectively. The 'Behavior - Detected - Elastic Security Alerts' rule identifies such threats by monitoring specific alert events, enabling analysts to swiftly investigate and mitigate potential security incidents.
+The Elastic Security integration facilitates transferring security alert data from another Elasticsearch instance to your own, enabling threats to be investigated in a centralized manner.
 
 ### Possible investigation steps
 
diff --git a/rules/promotions/google_secops_external_alerts.toml b/rules/promotions/google_secops_external_alerts.toml
@@ -5,7 +5,7 @@ maturity = "production"
 promotion = true
 min_stack_version = "8.18.0"
 min_stack_comments = "Introduced support for Google SecOps alert promotion"
-updated_date = "2025/07/31"
+updated_date = "2025/08/04"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ note = """Triage and analysis
 
 ### Investigating Google SecOps External Alerts
 
-Google SecOps provides a robust framework for monitoring and managing security operations within cloud environments. The detection rule leverages specific event identifiers to flag suspicious alerts, enabling analysts to swiftly investigate potential threats and mitigate risks.
+Google SecOps provides a robust framework for monitoring and managing security operations within cloud environments. The rule leverages specific event identifiers to flag suspicious alerts, enabling analysts to swiftly investigate potential threats and mitigate risks.
 
 ### Possible investigation steps
 
@@ -106,5 +106,3 @@ field = "event.severity"
 operator = "equals"
 severity = "critical"
 value = "99"
-
-
diff --git a/rules/promotions/microsoft_sentinel_external_alerts.toml b/rules/promotions/microsoft_sentinel_external_alerts.toml
@@ -5,7 +5,7 @@ maturity = "production"
 promotion = true
 min_stack_version = "8.18.0"
 min_stack_comments = "Introduced support for Microsoft Sentinel alert promotion"
-updated_date = "2025/07/31"
+updated_date = "2025/08/04"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ note = """ Triage and analysis
 
 ## Investigating Microsoft Sentinel External Alerts
 
-Microsoft Sentinel is a cloud-native SIEM tool that aggregates security data for threat detection and response. The 'Behavior - Detected' rule identifies each alert logged in Sentinel, enabling analysts to swiftly investigate potential threats.
+Microsoft Sentinel is a cloud-native SIEM tool that aggregates security data for threat detection and response. The rule identifies each alert logged in Sentinel, enabling analysts to swiftly investigate potential threats.
 
 ### Possible investigation steps
 
@@ -86,18 +86,22 @@ value = ""
 field = "event.severity"
 operator = "equals"
 severity = "low"
-value = "1"
+value = "21"
 
 [[rule.severity_mapping]]
 field = "event.severity"
 operator = "equals"
 severity = "medium"
-value = "2"
+value = "47"
 
 [[rule.severity_mapping]]
 field = "event.severity"
 operator = "equals"
 severity = "high"
-value = "3"
-
+value = "73"
 
+[[rule.severity_mapping]]
+field = "event.severity"
+operator = "equals"
+severity = "critical"
+value = "99"
diff --git a/rules/promotions/sentinelone_alert_external_alerts.toml b/rules/promotions/sentinelone_alert_external_alerts.toml
@@ -5,7 +5,7 @@ maturity = "production"
 promotion = true
 min_stack_version = "8.18.0"
 min_stack_comments = "Introduced support for SentinelOne alert promotion"
-updated_date = "2025/07/31"
+updated_date = "2025/08/04"
 
 [rule]
 author = ["Elastic"]
@@ -19,12 +19,12 @@ interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
 max_signals = 1000
-name = "SentinelOne External Alerts"
+name = "SentinelOne Alert External Alerts"
 note = """## Triage and analysis
 
-### Investigating SentinelOne External Alerts
+### Investigating SentinelOne Alert External Alerts
 
-SentinelOne is a cybersecurity platform that provides endpoint protection by detecting and responding to threats in real-time. The 'Behavior - Detected - SentinelOne Alerts' rule identifies such threats by monitoring specific alert events, enabling analysts to swiftly investigate and mitigate potential security incidents.
+SentinelOne is a cybersecurity platform that provides endpoint protection by detecting and responding to threats in real-time. The rule identifies such threats by monitoring specific alert events, enabling analysts to swiftly investigate and mitigate potential security incidents.
 
 ### Possible investigation steps
 
@@ -55,15 +55,15 @@ SentinelOne is a cybersecurity platform that provides endpoint protection by det
 references = ["https://docs.elastic.co/en/integrations/sentinel_one"]
 risk_score = 47
 rule_id = "9b35422b-9102-45a9-8610-2e0c22281c55"
-rule_name_override = "sentinel_one.alert.rule.name"
+rule_name_override = "rule.name"
 setup = """## Setup
 
 ### SentinelOne Alert Integration
 This rule is designed to capture alert events generated by the SentinelOne integration and promote them as Elastic detection alerts.
 
 To capture SentinelOne alerts, install and configure the SentinelOne integration to ingest alert events into the `logs-sentinel_one.alert-*` index pattern.
 
-If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SentinelOne events. Consider adding a rule exception for the External Alert rule to exclude datastream.dataset: (sentinel_one.alert or sentinel_one.threat) to avoid receiving duplicate alerts.
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SentinelOne events. Consider adding a rule exception for the External Alert rule to exclude datastream.dataset: sentinel_one.alert to avoid receiving duplicate alerts.
 
 ### Additional notes
 
@@ -75,7 +75,7 @@ timestamp_override = "event.ingested"
 type = "query"
 
 query = '''
-(event.kind: alert and data_stream.dataset: sentinel_one.threat) or (event.kind: event and data_stream.dataset: sentinel_one.alert)
+event.kind: event and data_stream.dataset: sentinel_one.alert
 '''
 
 
@@ -85,27 +85,25 @@ operator = "equals"
 value = ""
 
 [[rule.severity_mapping]]
-field = "sentinel_one.alert.rule.severity"
+field = "event.severity"
 operator = "equals"
 severity = "low"
-value = "Low"
+value = "21"
 
 [[rule.severity_mapping]]
-field = "sentinel_one.alert.rule.severity"
+field = "event.severity"
 operator = "equals"
 severity = "medium"
-value = "Medium"
+value = "47"
 
 [[rule.severity_mapping]]
-field = "sentinel_one.alert.rule.severity"
+field = "event.severity"
 operator = "equals"
 severity = "high"
-value = "High"
+value = "73"
 
 [[rule.severity_mapping]]
-field = "sentinel_one.alert.rule.severity"
+field = "event.severity"
 operator = "equals"
 severity = "critical"
-value = "Critical"
-
-
+value = "99"
diff --git a/rules/promotions/sentinelone_threat_external_alerts.toml b/rules/promotions/sentinelone_threat_external_alerts.toml
@@ -0,0 +1,97 @@
+[metadata]
+creation_date = "2025/08/04"
+integration = ["sentinel_one"]
+maturity = "production"
+promotion = true
+min_stack_version = "8.18.0"
+min_stack_comments = "Introduced support for SentinelOne threat promotion"
+updated_date = "2025/08/04"
+
+[rule]
+author = ["Elastic"]
+description = """
+Generates a detection alert for each SentinelOne threat written to the configured indices. Enabling this rule allows you
+to immediately begin investigating SentinelOne threat alerts in the app.
+"""
+from = "now-2m"
+index = ["logs-sentinel_one.threat-*"]
+interval = "1m"
+language = "kuery"
+license = "Elastic License v2"
+max_signals = 1000
+name = "SentinelOne Threat External Alerts"
+note = """## Triage and analysis
+
+### Investigating SentinelOne Threat External Alerts
+
+SentinelOne is a cybersecurity platform that provides endpoint protection by detecting and responding to threats in real-time. The rule identifies such threats by monitoring specific threat events, enabling analysts to swiftly investigate and mitigate potential security incidents.
+
+### Possible investigation steps
+
+- Correlate the threat alert with recent activity on the affected endpoint to identify any unusual or suspicious behavior patterns.
+- Check for any additional alerts or logs related to the same endpoint or user to determine if this is part of a broader attack or isolated incident.
+- Investigate the source and destination IP addresses involved in the threat to assess if they are known to be malicious or associated with previous threats.
+- Analyze any files or processes flagged in the threat alert to determine if they are legitimate or potentially malicious, using threat intelligence sources if necessary.
+- Consult the SentinelOne investigation guide and resources tagged in the alert for specific guidance on handling similar threats.
+
+### False positive analysis
+
+- Threats triggered by routine software updates or patches can be false positives. Review the context of the threat to determine if it aligns with scheduled maintenance activities.
+- Legitimate administrative tools or scripts may trigger threat alerts. Identify and whitelist these tools if they are verified as non-threatening.
+- Frequent threat alerts from known safe applications or processes can be excluded by creating exceptions for these specific behaviors in the SentinelOne configuration.
+- Network scanning or monitoring tools used by IT teams might be flagged. Ensure these tools are documented and excluded from triggering alerts if they are part of regular operations.
+- User behavior that is consistent with their role but triggers threat alerts should be reviewed. If deemed non-malicious, adjust the rule to exclude these specific user actions.
+
+### Response and remediation
+
+- Isolate the affected endpoint immediately to prevent lateral movement and further compromise within the network.
+- Analyze the specific threat alert details to identify the nature of the threat and any associated indicators of compromise (IOCs).
+- Remove or quarantine any malicious files or processes identified by the SentinelOne threat alert to neutralize the threat.
+- Apply relevant security patches or updates to address any exploited vulnerabilities on the affected endpoint.
+- Conduct a thorough scan of the network to identify any additional endpoints that may have been compromised or are exhibiting similar behavior.
+- Document the incident and escalate to the appropriate security team or management if the threat is part of a larger attack campaign or if additional resources are needed for remediation.
+- Review and update endpoint protection policies and configurations to enhance detection and prevention capabilities against similar threats in the future.
+"""
+references = ["https://docs.elastic.co/en/integrations/sentinel_one"]
+risk_score = 47
+rule_id = "e43b7578-f3cc-4682-a8cf-f9d8a5fb07f1"
+rule_name_override = "message"
+setup = """## Setup
+
+### SentinelOne Threat Integration
+This rule is designed to capture threat events generated by the SentinelOne integration and promote them as Elastic detection alerts.
+
+To capture SentinelOne threat alerts, install and configure the SentinelOne integration to ingest threat events into the `logs-sentinel_one.threat-*` index pattern.
+
+If this rule is enabled alongside the External Alerts promotion rule (UUID: eb079c62-4481-4d6e-9643-3ca499df7aaa), you may receive duplicate alerts for the same SentinelOne events. Consider adding a rule exception for the External Alert rule to exclude datastream.dataset: sentinel_one.threat to avoid receiving duplicate alerts.
+
+### Additional notes
+
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
+"""
+severity = "medium"
+tags = ["Data Source: SentinelOne", "Use Case: Threat Detection", "Resources: Investigation Guide", "Promotion: External Alerts"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.kind: alert and data_stream.dataset: sentinel_one.threat
+'''
+
+
+[[rule.risk_score_mapping]]
+field = "event.risk_score"
+operator = "equals"
+value = ""
+
+[[rule.severity_mapping]]
+field = "sentinel_one.threat.confidence_level"
+operator = "equals"
+severity = "medium"
+value = "suspicious"
+
+[[rule.severity_mapping]]
+field = "sentinel_one.threat.confidence_level"
+operator = "equals"
+severity = "high"
+value = "malicious"
diff --git a/rules/promotions/splunk_external_alerts.toml b/rules/promotions/splunk_external_alerts.toml
@@ -5,7 +5,7 @@ maturity = "production"
 promotion = true
 min_stack_version = "8.18.0"
 min_stack_comments = "Introduced support for Splunk alert integration and promotion"
-updated_date = "2025/07/31"
+updated_date = "2025/08/04"
 
 [rule]
 author = ["Elastic"]
@@ -24,7 +24,7 @@ note = """## Triage and analysis
 
 ### Investigating Splunk External Alerts
 
-Splunk monitors and analyzes data, often used in security environments to track and respond to potential threats. The 'Behavior - Detected - Splunk Alerts' rule identifies such manipulations by flagging alerts enabling timely investigation and response.
+Splunk monitors and analyzes data, often used in security environments to track and respond to potential threats. The rule identifies such manipulations by flagging alerts enabling timely investigation and response.
 
 ### Possible investigation steps
 
@@ -107,5 +107,3 @@ field = "event.severity"
 operator = "equals"
 severity = "critical"
 value = "99"
-
-
