Closed imays11 closed 2 weeks ago
These guidelines serve as a reminder set of considerations when tuning an existing rule.
updated_date
matches the date of tuning PR merged.min_stack_version
should support the widest stack versions.name
and description
should be descriptive and not include typos.query
should be inclusive, not overly exclusive. Review to ensure the original intent of the rule is maintained.
Pull Request
Issue link(s): https://github.com/elastic/ia-trade-team/issues/458
Summary - What I changed
Tuning this rule to exclude identity type
AssumedRole
as this is too common a behavior, often automated, and used to verify current identity and role assumptions. Therefore it is not as indicative of suspicious behavior when used by assumed roles. This rule will still trigger forIAMUser
andFederatedUser
identity types. In telemetry this change reduces alerts from ~240,000 to 43 in the last 30 days.How To Test
Screenshot to show valid query