Update Max signals value to supported limits

[shashank-elastic]

Pull Request

Issue link(s): #4539

Summary - What I changed

• Update max_signals to be 1000 for rules excedding the limit, as Elastic Cloud does not allow setting to more than 1000 alerts per rule run since 8.5.
• Update setup guides accordingly, the update is actaully derived from the issue as requested.
• Modify existing unit test to change the setup checks and also add checks to see if any rule exceeds the max_signals limit for 1000
• Add setup information for rules regarding promotions and have max_signals to 1000, leave the rest untouched based on review comments here

Note - For Self ( Author)

• What needs to be cheked is how the doc links behave for rules in v9.0, we dont have the doc preview yet this needs to be verifief before merging.

How To Test

• Unit test should pass.

Check for missing setup note for rules with max_signals == 1000

❯ pytest tests/test_all_rules.py::TestValidRules::test_max_signals_note
=========================================================== test session starts ============================================================
platform darwin -- Python 3.12.8, pytest-8.1.1, pluggy-1.4.0
rootdir: /Users/shashankks/elastic_workspace/detection-rules
configfile: pyproject.toml
plugins: typeguard-3.0.2
collected 1 item                                                                                                                           

tests/test_all_rules.py F                                                                                                            [100%]

================================================================= FAILURES =================================================================
___________________________________________________ TestValidRules.test_max_signals_note ___________________________________________________

self = <tests.test_all_rules.TestValidRules testMethod=test_max_signals_note>

    def test_max_signals_note(self):
        """Ensure the max_signals note is present when max_signals > 1000."""
        max_signal_standard_setup = 'For information about troubleshooting maximum alerts warning '\
                                    'please refer to this [guide]'\
                                    '(https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).'  # noqa: E501
        for rule in self.all_rules:
            if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000:
                error_message = f'{self.rule_str(rule)} max_signals cannot exceed 1000.'
                self.fail(f'{self.rule_str(rule)} max_signals cannot exceed 1000.')
            if rule.contents.data.max_signals and rule.contents.data.max_signals == 1000:
                error_message = f'{self.rule_str(rule)} note required for max_signals == 1000'
                self.assertIsNotNone(rule.contents.data.setup, error_message)
                if max_signal_standard_setup not in rule.contents.data.setup:
>                   self.fail(f'{self.rule_str(rule)} expected max_signals note missing\n\n'
                              f'Expected: {max_signal_standard_setup}\n\n'
                              f'Actual: {rule.contents.data.setup}')
E                   AssertionError: 3a657da0-1df2-11ef-a327-f661ea17fbcc - Rapid7 Threat Command CVEs Correlation -> expected max_signals note missing
E                   
E                   Expected: For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
E                   
E                   Actual: ## Setup
E                   
E                   This rule needs threat intelligence indicators to work.
E                   Threat intelligence indicators can be collected using an [Elastic Agent integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#agent-ti-integration),
E                   the [Threat Intel module](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#ti-mod-integration),
E                   or a [custom integration](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html#custom-ti-integration).
E                   
E                   More information can be found [here](https://www.elastic.co/guide/en/security/current/es-threat-intel-integrations.html).

tests/test_all_rules.py:147: AssertionError
========================================================= short test summary info ==========================================================
FAILED tests/test_all_rules.py::TestValidRules::test_max_signals_note - AssertionError: 3a657da0-1df2-11ef-a327-f661ea17fbcc - Rapid7 Threat Command CVEs Correlation -> expected max_signals note missing
======================================================= 1 failed in 72.79s (0:01:12) =======================================================
(.venv) 
detection-rules on  issue-4539 [$!+?] is 📦 v1.0.2 via 🐍 v3.12.8 (.venv) on ☁️  [email protected] took 1m13s 
❯ 

Check for rules with max_signals exceeding 1000 count

 pytest tests/test_all_rules.py::TestValidRules::test_max_signals_note
=========================================================== test session starts ============================================================
platform darwin -- Python 3.12.8, pytest-8.1.1, pluggy-1.4.0
rootdir: /Users/shashankks/elastic_workspace/detection-rules
configfile: pyproject.toml
plugins: typeguard-3.0.2
collected 1 item                                                                                                                           

tests/test_all_rules.py F                                                                                                            [100%]

================================================================= FAILURES =================================================================
___________________________________________________ TestValidRules.test_max_signals_note ___________________________________________________

self = <tests.test_all_rules.TestValidRules testMethod=test_max_signals_note>

    def test_max_signals_note(self):
        """Ensure the max_signals note is present when max_signals > 1000."""
        max_signal_standard_setup = 'For information about troubleshooting maximum alerts warning '\
                                    'please refer to this [guide]'\
                                    '(https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).'  # noqa: E501
        for rule in self.all_rules:
            if rule.contents.data.max_signals and rule.contents.data.max_signals > 1000:
                error_message = f'{self.rule_str(rule)} max_signals cannot exceed 1000.'
>               self.fail(f'{self.rule_str(rule)} max_signals cannot exceed 1000.')
E               AssertionError: 3a657da0-1df2-11ef-a327-f661ea17fbcc - Rapid7 Threat Command CVEs Correlation -> max_signals cannot exceed 1000.

tests/test_all_rules.py:142: AssertionError
========================================================= short test summary info ==========================================================
FAILED tests/test_all_rules.py::TestValidRules::test_max_signals_note - AssertionError: 3a657da0-1df2-11ef-a327-f661ea17fbcc - Rapid7 Threat Command CVEs Correlation -> max_signals cannot exceed 1000.
======================================================= 1 failed in 73.50s (0:01:13) =======================================================
(.venv) 
detection-rules on  issue-4539 [$!+?] is 📦 v1.0.2 via 🐍 v3.12.8 (.venv) on ☁️  [email protected] took 1m14s 
❯ 

Checklist

• Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
• Added the meta:rapid-merge label if planning to merge within 24 hours
• Secret and sensitive material has been managed correctly
• Automated testing was updated or added to match the most common scenarios
• Documentation and comments were added for features that require explanation

Contributor checklist

• Have you signed the contributor license agreement?
• Have you followed the contributor guidelines?

[github-actions]

Rule: Tuning - Guidelines

These guidelines serve as a reminder set of considerations when tuning an existing rule.

Documentation and Context

• Detailed description of the suggested changes.
• Provide example JSON data or screenshots.
• Provide evidence of reducing benign events mistakenly identified as threats (False Positives).
• Provide evidence of enhancing detection of true threats that were previously missed (False Negatives).
• Provide evidence of optimizing resource consumption and execution time of detection rules (Performance).
• Provide evidence of specific environment factors influencing customized rule tuning (Contextual Tuning).
• Provide evidence of improvements made by modifying sensitivity by changing alert triggering thresholds (Threshold Adjustments).
• Provide evidence of refining rules to better detect deviations from typical behavior (Behavioral Tuning).
• Provide evidence of improvements of adjusting rules based on time-based patterns (Temporal Tuning).
• Provide reasoning of adjusting priority or severity levels of alerts (Severity Tuning).
• Provide evidence of improving quality integrity of our data used by detection rules (Data Quality).
• Ensure the tuning includes necessary updates to the release documentation and versioning.

Rule Metadata Checks

• updated_date matches the date of tuning PR merged.
• min_stack_version should support the widest stack versions.
• name and description should be descriptive and not include typos.
• query should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.

Testing and Validation

• Validate that the tuned rule's performance is satisfactory and does not negatively impact the stack.
• Ensure that the tuned rule has a low false positive rate.

[tradebot-elastic]

⛔️ Test failed

Results

- ❌ Potential Network Scan Detected (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Memory Threat - Detected - Elastic Defend (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ✅ Potential Cookies Theft via Browser Debugging (eql) - ❌ Memory Threat - Prevented- Elastic Defend (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Malware - Detected - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Ransomware - Detected - Elastic Defend (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Behavior - Detected - Elastic Defend (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Ransomware - Prevented - Elastic Defend (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Potential Internal Linux SSH Brute Force Detected (eql) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Exploit - Detected - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Exploit - Prevented - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Potential Suspicious File Edit (eql) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Rapid7 Threat Command CVEs Correlation (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Malware - Prevented - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ✅ NTDS or SAM Database File Copied (eql) - ❌ Permission Theft - Prevented - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Credential Dumping - Detected - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Creation of Hidden Shared Object File (eql) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Adversary Behavior - Detected - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Potential Network Sweep Detected (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Process Injection - Detected - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ SUID/SGID Bit Set (eql) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Ransomware - Detected - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ File made Immutable by Chattr (eql) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Process Injection - Prevented - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Endpoint Security (Elastic Defend) (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ My First Rule (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Timestomping using Touch Command (eql) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Creation of Hidden Files and Directories via CommandLine (eql) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Potential SYN-Based Port Scan Detected (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Credential Manipulation - Detected - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ✅ Microsoft IIS Connection Strings Decryption (eql) - ❌ Permission Theft - Detected - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Credential Manipulation - Prevented - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Credential Dumping - Prevented - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Ransomware - Prevented - Elastic Endgame (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ External Alerts (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Behavior - Prevented - Elastic Defend (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ✅ IIS HTTP Logging Disabled (eql) - ❌ Malicious File - Detected - Elastic Defend (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Malicious File - Prevented - Elastic Defend (kuery) - coverage_issue: no_rta - stack_validation_failed: no_rta - ❌ Potential External Linux SSH Brute Force Detected (eql) - coverage_issue: no_rta - stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Network Scan Detected (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Threat - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Potential Cookies Theft via Browser Debugging (eql)
• ❌ Memory Threat - Prevented- Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Internal Linux SSH Brute Force Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Suspicious File Edit (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rapid7 Threat Command CVEs Correlation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ NTDS or SAM Database File Copied (eql)
• ❌ Permission Theft - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Creation of Hidden Shared Object File (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Adversary Behavior - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Network Sweep Detected (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SUID/SGID Bit Set (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File made Immutable by Chattr (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Endpoint Security (Elastic Defend) (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ My First Rule (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Timestomping using Touch Command (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Creation of Hidden Files and Directories via CommandLine (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential SYN-Based Port Scan Detected (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Microsoft IIS Connection Strings Decryption (eql)
• ❌ Permission Theft - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ IIS HTTP Logging Disabled (eql)
• ❌ Malicious File - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Potential Network Scan Detected (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Threat - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Potential Cookies Theft via Browser Debugging (eql)
• ❌ Memory Threat - Prevented- Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Internal Linux SSH Brute Force Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Suspicious File Edit (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rapid7 Threat Command CVEs Correlation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ NTDS or SAM Database File Copied (eql)
• ❌ Permission Theft - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Creation of Hidden Shared Object File (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Adversary Behavior - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential Network Sweep Detected (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ SUID/SGID Bit Set (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ File made Immutable by Chattr (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Endpoint Security (Elastic Defend) (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ My First Rule (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Timestomping using Touch Command (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Creation of Hidden Files and Directories via CommandLine (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential SYN-Based Port Scan Detected (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Microsoft IIS Connection Strings Decryption (eql)
• ❌ Permission Theft - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ IIS HTTP Logging Disabled (eql)
• ❌ Malicious File - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Potential External Linux SSH Brute Force Detected (eql)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Memory Threat - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Potential Cookies Theft via Browser Debugging (eql)
• ❌ Memory Threat - Prevented- Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rapid7 Threat Command CVEs Correlation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ NTDS or SAM Database File Copied (eql)
• ❌ Permission Theft - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Adversary Behavior - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Endpoint Security (Elastic Defend) (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Microsoft IIS Connection Strings Decryption (eql)
• ❌ Permission Theft - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ IIS HTTP Logging Disabled (eql)
• ❌ Malicious File - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Memory Threat - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Threat - Prevented- Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rapid7 Threat Command CVEs Correlation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ NTDS or SAM Database File Copied (eql)
• ❌ Permission Theft - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Adversary Behavior - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Endpoint Security (Elastic Defend) (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ Microsoft IIS Connection Strings Decryption (eql)
• ❌ Permission Theft - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ✅ IIS HTTP Logging Disabled (eql)
• ❌ Malicious File - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Memory Threat - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Threat - Prevented- Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rapid7 Threat Command CVEs Correlation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Permission Theft - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Adversary Behavior - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Endpoint Security (Elastic Defend) (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Permission Theft - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[eric-forte-elastic]

Very much a Nit. We should still be using .get here right? Prior comment was a reference to comparing rule.contents.data.get(max_signals) to something like rule.contents.get(data).get(max_signals)

[w0rk3r]

Suggested change

	For information about troubleshooting maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
	For information on troubleshooting the maximum alerts warning, please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).

Small adjust

[shashank-elastic]

@approksiu thoughts on this, as we have derived this from the issue template.

[approksiu]

Looks good! I am fine with the change

[approksiu]

This would need to be changed across all rules in this PR

[w0rk3r]

I'm not sure if this is needed for this one

[shashank-elastic]

Maintaining the style of the previous change to also have consistent setup notes on max_signals = 1000

[approksiu]

I think there is less likelihood that this rule will hit the limit. It's ok to remove this note.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Memory Threat - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Threat - Prevented- Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rapid7 Threat Command CVEs Correlation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Permission Theft - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Adversary Behavior - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Endpoint Security (Elastic Defend) (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Permission Theft - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[eric-forte-elastic]

🟢 Peer review, looks good to me! 👍

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Memory Threat - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Threat - Prevented- Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rapid7 Threat Command CVEs Correlation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Permission Theft - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Adversary Behavior - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Endpoint Security (Elastic Defend) (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Permission Theft - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[eric-forte-elastic]

Given that this change request is blocking the release and the wording change is minor, we will accept the change and continue with the release as it would otherwise be blocked.

[tradebot-elastic]

⛔️ Test failed

Results

• ❌ Memory Threat - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Memory Threat - Prevented- Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Exploit - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Rapid7 Threat Command CVEs Correlation (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Permission Theft - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Adversary Behavior - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Process Injection - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Endpoint Security (Elastic Defend) (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Permission Theft - Detected - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Manipulation - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Credential Dumping - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Ransomware - Prevented - Elastic Endgame (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ External Alerts (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Behavior - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Detected - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta
• ❌ Malicious File - Prevented - Elastic Defend (kuery)
  • coverage_issue: no_rta
  • stack_validation_failed: no_rta

[eric-forte-elastic]

This commit request has been applied in 6f0d2f9. Dismissing request changes to reflect this.

This commit request has been applied in 6f0d2f9. Dismissing request changes to reflect this.