This tunining is for 3 rules for Administrator Access Policy Attached to User, Role, & Group. These are ES|QL rules and the following changes have been made to each:
file name change to remain consistent with the rest of AWS rules
keep and sort functions removed from queries so that all fields are available with the alert
min_stack comment updated to reflect current ES|QL status
changed from to now-6m to prevent overlap during rule execution resulting in the potential for a single event to trigger 2 alerts for 2 different rule execution windows, since default interval is 5 min > this happened in my stack related tuning : https://github.com/elastic/detection-rules/pull/3868
Issues
https://github.com/elastic/ia-trade-team/issues/346
https://github.com/elastic/detection-rules/pull/3735
Summary
This tunining is for 3 rules for Administrator Access Policy Attached to User, Role, & Group. These are ES|QL rules and the following changes have been made to each:
file name change to remain consistent with the rest of AWS rules
keepandsortfunctions removed from queries so that all fields are available with the alertmin_stack commentupdated to reflect current ES|QL statuschanged
fromtonow-6mto prevent overlap during rule execution resulting in the potential for a single event to trigger 2 alerts for 2 different rule execution windows, since default interval is5 min> this happened in my stack related tuning : https://github.com/elastic/detection-rules/pull/3868updated_dateupdated