diff --git a/packages/aws_cloudtrail_otel/changelog.yml b/packages/aws_cloudtrail_otel/changelog.yml index 3c2a5ceb27a..ef411bd133b 100644 --- a/packages/aws_cloudtrail_otel/changelog.yml +++ b/packages/aws_cloudtrail_otel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Add alerting rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/16750 - version: "0.1.0" changes: - description: Initial draft of the AWS CloudTrail Logs OpenTelemetry Assets package diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json new file mode 100644 index 00000000000..daacade3067 --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-high-security-changes", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CloudTrail OTEL] Excessive high-risk actions succeed", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any high risk actions succeded within a given threshold time from a single user or IP\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method IN (\"StopLogging\", \"DeleteTrail\",\"AttachUserPolicy\", \"AttachRolePolicy\",\"CreateAccessKey\", \"CreateUser\",\"AuthorizeSecurityGroupIngress\",\"DisableKey\", \"ScheduleKeyDeletion\")| STATS change_count = COUNT(*),changes = VALUES(rpc.method) BY user.name, source.address WHERE change_count >= 100 | SORT change_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json new file mode 100644 index 00000000000..2bd7765ee79 --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-massive-resource-deletion", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CloudTrail OTEL] Massive resource deletion from same IP", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose delete requests exceed a threshold (e.g. > 1000 in 15 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 15m | WHERE aws.error.code IS NULL | WHERE rpc.method IN (\"TerminateInstances\",\"DeleteBucket\",\"DeleteDBInstance\",\"DeleteFunction\",\"DeleteVolume\",\"DeleteSnapshot\") | STATS deletion_count = COUNT(*) BY user.name, source.address | WHERE deletion_count >= 1000 | SORT deletion_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json new file mode 100644 index 00000000000..c7f9fbd372c --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-multiple-errors-spike", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CloudTrail OTEL] Multiple error spike from same IP", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose error count exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE aws.error.code IS NOT NULL | WHERE @timestamp > NOW()- 10m | STATS error_count = COUNT(*) BY source.address | WHERE error_count >= 100 | SORT error_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json new file mode 100644 index 00000000000..186abac80b0 --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-multiple-failed-login-ip", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CloudTrail OTEL] Multiple failed login attempts from same IP", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method == \"ConsoleLogin\" | WHERE aws.error.code IS NOT NULL | STATS failed_count = COUNT(*), users_tried = VALUES(user.name) BY source.address | WHERE failed_count >= 100 | SORT failed_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_cloudtrail_otel/manifest.yml b/packages/aws_cloudtrail_otel/manifest.yml index 8ef91cf6e47..94b995581c1 100644 --- a/packages/aws_cloudtrail_otel/manifest.yml +++ b/packages/aws_cloudtrail_otel/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.5.0 name: aws_cloudtrail_otel title: "AWS CloudTrail Logs OpenTelemetry Assets" -version: 0.1.0 +version: 0.2.0 source: license: "Elastic-2.0" description: "AWS CloudTrail Logs OpenTelemetry Assets" diff --git a/packages/aws_elb_otel/changelog.yml b/packages/aws_elb_otel/changelog.yml index 1baaa93a2d2..65395a85f46 100644 --- a/packages/aws_elb_otel/changelog.yml +++ b/packages/aws_elb_otel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Add alerting rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/16750 - version: "0.1.1" changes: - description: Add "Alternative setup using awss3receiver" section to README diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json new file mode 100644 index 00000000000..6b2761791f9 --- /dev/null +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json @@ -0,0 +1,30 @@ +{ + "id": "aws-elb-otel-application-level-failures", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS ELB OTEL] Applicationl level failures", + "tags": [ + "AWS Elb Logs OpenTelemetry Assets" + ], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any client IP address whose error count exceed a threshold (e.g. > 50 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE @timestamp > NOW()- 10m | WHERE aws.elb.status.code != 200| STATS error_count = COUNT(*) BY client.address | WHERE error_count >= 50 | SORT error_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json new file mode 100644 index 00000000000..4837bc07a19 --- /dev/null +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json @@ -0,0 +1,28 @@ +{ + "id": "aws-elb-otel-backend-target-failures", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS ELB OTEL] Backend target failures", + "tags": ["AWS Elb Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose backend error count exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE aws.error.code IS NOT NULL | WHERE @timestamp > NOW()- 15m | WHERE aws.elb.backend.status.code != 200| | STATS backend_error_count = COUNT(*), BY cloud.resource_id | WHERE backend_error_count >= 50 | SORT backend_error_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_elb_otel/manifest.yml b/packages/aws_elb_otel/manifest.yml index 08b09fc13af..1a28e9ced76 100644 --- a/packages/aws_elb_otel/manifest.yml +++ b/packages/aws_elb_otel/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.5.0 name: aws_elb_otel title: "AWS ELB OpenTelemetry Assets" -version: 0.1.1 +version: 0.2.0 source: license: "Elastic-2.0" description: "AWS ELB logs for OpenTelemetry Collector" diff --git a/packages/aws_vpcflow_otel/changelog.yml b/packages/aws_vpcflow_otel/changelog.yml index d4896e56806..fdbd5e01c0c 100644 --- a/packages/aws_vpcflow_otel/changelog.yml +++ b/packages/aws_vpcflow_otel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Add alerting rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/16750 - version: "0.1.1" changes: - description: Add "Alternative setup using awss3receiver" section to README diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json new file mode 100644 index 00000000000..78226232639 --- /dev/null +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json @@ -0,0 +1,28 @@ +{ + "id": "aws-vpcflow-otel-massive-data-transfer", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS VPC OTEL] Excessive data transfer from a single source", + "tags": ["AWS VPC Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose bytes exceed a threshold (e.g. > 50GB in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS total_bytes = SUM(aws.vpc.flow.bytes) BY source.address | WHERE total_bytes > 53687091200 | SORT total_bytes DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json new file mode 100644 index 00000000000..399f35735e0 --- /dev/null +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json @@ -0,0 +1,28 @@ +{ + "id": "aws-vpcflow-otel-reject-ip", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS VPC OTEL] Excessive REJECT actions with single source IP", + "tags": ["AWS VPC Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 1000 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS reject_count= COUNT(aws.vpc.flow.action == \"REJECT\" OR NULL) BY source.address | WHERE reject_count > 100 | SORT reject_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_vpcflow_otel/manifest.yml b/packages/aws_vpcflow_otel/manifest.yml index cd6bbf52eb3..b25c38d298d 100644 --- a/packages/aws_vpcflow_otel/manifest.yml +++ b/packages/aws_vpcflow_otel/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.5.0 name: aws_vpcflow_otel title: "AWS VPC Flow Logs OpenTelemetry Assets" -version: 0.1.1 +version: 0.2.0 source: license: "Elastic-2.0" description: "AWS VPC Flow Logs OpenTelemetry Assets"