External Alerts

edit

Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.

Rule type: query

Rule indices:

  • apm--transaction
  • traces-apm*
  • auditbeat-*
  • filebeat-*
  • logs-*
  • packetbeat-*
  • winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-6m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 10000

Tags:

  • Elastic
  • Network
  • Windows
  • APM
  • macOS
  • Linux

Version: 5 (version history)

Added (Elastic Stack release): 7.9.0

Last modified (Elastic Stack release): 8.4.0

Rule authors: Elastic

Rule license: Elastic License v2

Rule query

edit
event.kind:alert and not event.module:(endgame or endpoint)

Rule version history

edit
Version 5 (8.4.0 release)
  • Formatting only
Version 4 (7.14.0 release)
  • Updated query, changed from:

    event.kind:alert and not event.module:(endgame or endpoint)
Version 3 (7.12.0 release)
  • Formatting only
Version 2 (7.10.0 release)
  • Formatting only