elastic · shashank-elastic · Mar 27, 2025 · Mar 21, 2025 · Mar 24, 2025 · Mar 24, 2025
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.0.2"
+version = "1.0.3"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"

diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_detected.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/02/06"
+updated_date = "2025/03/21"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
 interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
-max_signals = 10000
+max_signals = 1000
 name = "Memory Threat - Detected - Elastic Defend"
 note = """## Triage and analysis
 
@@ -102,13 +102,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
 To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).
 
 ### Additional notes
-This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
-**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
-
-To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
-
-**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
 severity = "high"
 tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"]

diff --git a/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml b/rules/integrations/endpoint/defense_evasion_elastic_memory_threat_prevented.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/02/06"
+updated_date = "2025/03/21"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
 interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
-max_signals = 10000
+max_signals = 1000
 name = "Memory Threat - Prevented- Elastic Defend"
 note = """## Triage and analysis
 
@@ -101,13 +101,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
 To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).
 
 ### Additional notes
-This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
-**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
-
-To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
-
-**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
 severity = "high"
 tags = ["Data Source: Elastic Defend", "Tactic: Defense Evasion", "Resources: Investigation Guide"]

diff --git a/rules/integrations/endpoint/elastic_endpoint_security.toml b/rules/integrations/endpoint/elastic_endpoint_security.toml
@@ -3,7 +3,7 @@ creation_date = "2020/07/08"
 integration = ["endpoint"]
 maturity = "production"
 promotion = true
-updated_date = "2025/03/20"
+updated_date = "2025/03/21"
 
 [rule]
 author = ["Elastic"]
@@ -17,7 +17,7 @@ index = ["logs-endpoint.alerts-*"]
 interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
-max_signals = 10000
+max_signals = 1000
 name = "Endpoint Security (Elastic Defend)"
 note = """## Triage and analysis
 
@@ -75,13 +75,8 @@ Related rules:
 - Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17fbce)
 
 ### Additional notes
-This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
-**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
-
-To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
-
-**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
 severity = "medium"
 tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"]

diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_detected.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/02/06"
+updated_date = "2025/03/21"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
 interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
-max_signals = 10000
+max_signals = 1000
 name = "Behavior - Detected - Elastic Defend"
 note = """## Triage and analysis
 
@@ -85,13 +85,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
 To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).
 
 ### Additional notes
-This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
-**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
-
-To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
-
-**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
 severity = "medium"
 tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"]

diff --git a/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml b/rules/integrations/endpoint/elastic_endpoint_security_behavior_prevented.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/02/06"
+updated_date = "2025/03/21"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
 interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
-max_signals = 10000
+max_signals = 1000
 name = "Behavior - Prevented - Elastic Defend"
 note = """## Triage and analysis
 
@@ -86,13 +86,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
 To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).
 
 ### Additional notes
-This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
-**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
-
-To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
-
-**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
 severity = "low"
 tags = ["Data Source: Elastic Defend", "Resources: Investigation Guide"]

diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_detected.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/02/06"
+updated_date = "2025/03/21"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
 interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
-max_signals = 10000
+max_signals = 1000
 name = "Malicious File - Detected - Elastic Defend"
 note = """## Triage and analysis
 
@@ -93,13 +93,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
 To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).
 
 ### Additional notes
-This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
-**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
-
-To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
-
-**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
 severity = "medium"
 tags = ["Data Source: Elastic Defend", "Tactic: Execution", "Resources: Investigation Guide"]

diff --git a/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml b/rules/integrations/endpoint/execution_elastic_malicious_file_prevented.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/02/06"
+updated_date = "2025/03/21"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
 interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
-max_signals = 10000
+max_signals = 1000
 name = "Malicious File - Prevented - Elastic Defend"
 note = """## Triage and analysis
 
@@ -93,13 +93,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
 To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).
 
 ### Additional notes
-This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
-**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
-
-To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
-
-**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
 severity = "low"
 tags = ["Data Source: Elastic Defend", "Tactic: Execution", "Resources: Investigation Guide"]

diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml b/rules/integrations/endpoint/impact_elastic_ransomware_detected.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/02/06"
+updated_date = "2025/03/21"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
 interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
-max_signals = 10000
+max_signals = 1000
 name = "Ransomware - Detected - Elastic Defend"
 note = """## Triage and analysis
 
@@ -84,13 +84,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
 To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).
 
 ### Additional notes
-This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
-**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
-
-To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
-
-**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
 severity = "high"
 tags = ["Data Source: Elastic Defend", "Tactic: Impact", "Resources: Investigation Guide"]

diff --git a/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml b/rules/integrations/endpoint/impact_elastic_ransomware_prevented.toml
@@ -5,7 +5,7 @@ maturity = "production"
 min_stack_comments = "Defend alerting adjustments patch to distinguish prevention and detection."
 min_stack_version = "8.16.0"
 promotion = true
-updated_date = "2025/02/06"
+updated_date = "2025/03/21"
 
 [rule]
 author = ["Elastic"]
@@ -20,7 +20,7 @@ index = ["logs-endpoint.alerts-*"]
 interval = "1m"
 language = "kuery"
 license = "Elastic License v2"
-max_signals = 10000
+max_signals = 1000
 name = "Ransomware - Prevented - Elastic Defend"
 note = """## Triage and analysis
 
@@ -85,13 +85,8 @@ Ransomware - Prevented - Elastic Defend (UUID: 10f3d520-ea35-11ee-a417-f661ea17f
 To avoid generating duplicate alerts, you should enable either all feature-specific protection rules or the Endpoint Security (Elastic Defend) rule (UUID: 9a1a2dae-0b5f-4c3d-8305-a268d404c306).
 
 ### Additional notes
-This rule is configured to generate more **Max alerts per run** than the default 1000 alerts per run set for all rules. This is to ensure that it captures as many alerts as possible.
 
-**IMPORTANT:** The rule's **Max alerts per run** setting can be superseded by the `xpack.alerting.rules.run.alerts.max` Kibana config setting, which determines the maximum alerts generated by _any_ rule in the Kibana alerting framework. For example, if `xpack.alerting.rules.run.alerts.max` is set to 1000, this rule will still generate no more than 1000 alerts even if its own **Max alerts per run** is set higher.
-
-To make sure this rule can generate as many alerts as it's configured in its own **Max alerts per run** setting, increase the `xpack.alerting.rules.run.alerts.max` system setting accordingly.
-
-**NOTE:** Changing `xpack.alerting.rules.run.alerts.max` is not possible in Serverless projects.
+For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
 """
 severity = "high"
 tags = ["Data Source: Elastic Defend", "Tactic: Impact", "Resources: Investigation Guide"]