elastic · Linu-Elias · Jan 2, 2026 · Jan 2, 2026 · Jan 2, 2026 · Jan 4, 2026
@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.2.0"
+  changes:
+    - description: Add alerting rule templates
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16750
 - version: "0.1.0"
   changes:
     - description: Initial draft of the AWS CloudTrail Logs OpenTelemetry Assets package

@@ -0,0 +1,28 @@
+{
+    "id": "aws-cloudtrail-otel-high-security-changes",
+    "type": "alerting_rule_template",
+    "attributes": {
+        "name": "[AWS CloudTrail OTEL] Excessive high-risk actions succeed",
+        "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"],
+        "ruleTypeId": ".es-query",
+        "schedule": {
+            "interval": "5m"
+        },
+        "params": {
+            "searchType": "esqlQuery",
+            "timeWindowSize": 10,
+            "timeWindowUnit": "m",
+            "esqlQuery": {
+                "esql": "// Alert triggers when any high risk actions succeded within a given threshold time from a single user or IP\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method IN (\"StopLogging\", \"DeleteTrail\",\"AttachUserPolicy\", \"AttachRolePolicy\",\"CreateAccessKey\", \"CreateUser\",\"AuthorizeSecurityGroupIngress\",\"DisableKey\", \"ScheduleKeyDeletion\")| STATS change_count = COUNT(*),changes = VALUES(rpc.method) BY user.name, source.address WHERE change_count >= 100 | SORT change_count DESC"
+            },
+            "groupBy": "row",
+            "timeField": "@timestamp"
+        },
+        "alertDelay": {
+            "active": 1
+        }
+    },
+    "managed": true,
+    "coreMigrationVersion": "8.8.0",
+    "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+    "id": "aws-cloudtrail-otel-massive-resource-deletion",
+    "type": "alerting_rule_template",
+    "attributes": {
+        "name": "[AWS CloudTrail OTEL] Massive resource deletion from same IP",
+        "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"],
+        "ruleTypeId": ".es-query",
+        "schedule": {
+            "interval": "5m"
+        },
+        "params": {
+            "searchType": "esqlQuery",
+            "timeWindowSize": 10,
+            "timeWindowUnit": "m",
+            "esqlQuery": {
+                "esql": "// Alert triggers when any source IP address whose delete requests exceed a threshold (e.g. > 1000 in 15 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 15m | WHERE aws.error.code IS NULL | WHERE rpc.method IN (\"TerminateInstances\",\"DeleteBucket\",\"DeleteDBInstance\",\"DeleteFunction\",\"DeleteVolume\",\"DeleteSnapshot\") | STATS deletion_count = COUNT(*) BY user.name, source.address | WHERE deletion_count >= 1000 | SORT deletion_count DESC"
+            },
+            "groupBy": "row",
+            "timeField": "@timestamp"
+        },
+        "alertDelay": {
+            "active": 1
+        }
+    },
+    "managed": true,
+    "coreMigrationVersion": "8.8.0",
+    "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+    "id": "aws-cloudtrail-otel-multiple-errors-spike",
+    "type": "alerting_rule_template",
+    "attributes": {
+        "name": "[AWS CloudTrail OTEL] Multiple error spike from same IP",
+        "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"],
+        "ruleTypeId": ".es-query",
+        "schedule": {
+            "interval": "5m"
+        },
+        "params": {
+            "searchType": "esqlQuery",
+            "timeWindowSize": 10,
+            "timeWindowUnit": "m",
+            "esqlQuery": {
+                "esql": "// Alert triggers when any source IP address whose error count exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE aws.error.code IS NOT NULL | WHERE @timestamp > NOW()- 10m | STATS error_count = COUNT(*) BY source.address | WHERE error_count >= 100 | SORT error_count DESC"
+            },
+            "groupBy": "row",
+            "timeField": "@timestamp"
+        },
+        "alertDelay": {
+            "active": 1
+        }
+    },
+    "managed": true,
+    "coreMigrationVersion": "8.8.0",
+    "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+    "id": "aws-cloudtrail-otel-multiple-failed-login-ip",
+    "type": "alerting_rule_template",
+    "attributes": {
+        "name": "[AWS CloudTrail OTEL] Multiple failed login attempts from same IP",
+        "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"],
+        "ruleTypeId": ".es-query",
+        "schedule": {
+            "interval": "5m"
+        },
+        "params": {
+            "searchType": "esqlQuery",
+            "timeWindowSize": 10,
+            "timeWindowUnit": "m",
+            "esqlQuery": {
+                "esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method == \"ConsoleLogin\" | WHERE aws.error.code IS NOT NULL | STATS failed_count = COUNT(*), users_tried = VALUES(user.name) BY source.address | WHERE failed_count >= 100 | SORT failed_count DESC"
+            },
+            "groupBy": "row",
+            "timeField": "@timestamp"
+        },
+        "alertDelay": {
+            "active": 1
+        }
+    },
+    "managed": true,
+    "coreMigrationVersion": "8.8.0",
+    "typeMigrationVersion": "10.1.0"
+}
@@ -1,7 +1,7 @@
 format_version: 3.5.0
 name: aws_cloudtrail_otel
 title: "AWS CloudTrail Logs OpenTelemetry Assets"
-version: 0.1.0
+version: 0.2.0
 source:
   license: "Elastic-2.0"
 description: "AWS CloudTrail Logs OpenTelemetry Assets"

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.2.0"
+  changes:
+    - description: Add alerting rule templates
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16750
 - version: "0.1.1"
   changes:
     - description: Add "Alternative setup using awss3receiver" section to README

@@ -0,0 +1,30 @@
+{
+    "id": "aws-elb-otel-application-level-failures",
+    "type": "alerting_rule_template",
+    "attributes": {
+        "name": "[AWS ELB OTEL] Applicationl level failures",
+        "tags": [
+            "AWS Elb Logs OpenTelemetry Assets"
+        ],
+        "ruleTypeId": ".es-query",
+        "schedule": {
+            "interval": "5m"
+        },
+        "params": {
+            "searchType": "esqlQuery",
+            "timeWindowSize": 10,
+            "timeWindowUnit": "m",
+            "esqlQuery": {
+                "esql": "// Alert triggers when any client IP address whose error count exceed a threshold (e.g. > 50 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE @timestamp > NOW()- 10m | WHERE aws.elb.status.code != 200| STATS error_count = COUNT(*) BY client.address | WHERE error_count >= 50 | SORT error_count DESC"
+            },
+            "groupBy": "row",
+            "timeField": "@timestamp"
+        },
+        "alertDelay": {
+            "active": 1
+        }
+    },
+    "managed": true,
+    "coreMigrationVersion": "8.8.0",
+    "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+    "id": "aws-elb-otel-backend-target-failures",
+    "type": "alerting_rule_template",
+    "attributes": {
+        "name": "[AWS ELB OTEL] Backend target failures",
+        "tags": ["AWS Elb Logs OpenTelemetry Assets"],
+        "ruleTypeId": ".es-query",
+        "schedule": {
+            "interval": "5m"
+        },
+        "params": {
+            "searchType": "esqlQuery",
+            "timeWindowSize": 10,
+            "timeWindowUnit": "m",
+            "esqlQuery": {
+                "esql": "// Alert triggers when any source IP address whose backend error count exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE aws.error.code IS NOT NULL | WHERE @timestamp > NOW()- 15m | WHERE aws.elb.backend.status.code != 200| | STATS backend_error_count = COUNT(*), BY cloud.resource_id | WHERE backend_error_count >= 50 | SORT backend_error_count DESC"
+            },
+            "groupBy": "row",
+            "timeField": "@timestamp"
+        },
+        "alertDelay": {
+            "active": 1
+        }
+    },
+    "managed": true,
+    "coreMigrationVersion": "8.8.0",
+    "typeMigrationVersion": "10.1.0"
+}
@@ -1,7 +1,7 @@
 format_version: 3.5.0
 name: aws_elb_otel
 title: "AWS ELB OpenTelemetry Assets"
-version: 0.1.1
+version: 0.2.0
 source:
   license: "Elastic-2.0"
 description: "AWS ELB logs for OpenTelemetry Collector"

@@ -1,4 +1,9 @@
 # newer versions go on top
+- version: "0.2.0"
+  changes:
+    - description: Add alerting rule templates
+      type: enhancement
+      link: https://github.com/elastic/integrations/pull/16750
 - version: "0.1.1"
   changes:
     - description: Add "Alternative setup using awss3receiver" section to README

@@ -0,0 +1,28 @@
+{
+    "id": "aws-vpcflow-otel-massive-data-transfer",
+    "type": "alerting_rule_template",
+    "attributes": {
+        "name": "[AWS VPC OTEL] Excessive data transfer from a single source",
+        "tags": ["AWS VPC Logs OpenTelemetry Assets"],
+        "ruleTypeId": ".es-query",
+        "schedule": {
+            "interval": "5m"
+        },
+        "params": {
+            "searchType": "esqlQuery",
+            "timeWindowSize": 10,
+            "timeWindowUnit": "m",
+            "esqlQuery": {
+                "esql": "// Alert triggers when any source IP address whose bytes exceed a threshold (e.g. > 50GB in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS total_bytes = SUM(aws.vpc.flow.bytes) BY source.address | WHERE total_bytes > 53687091200 | SORT total_bytes DESC"
+            },
+            "groupBy": "row",
+            "timeField": "@timestamp"
+        },
+        "alertDelay": {
+            "active": 1
+        }
+    },
+    "managed": true,
+    "coreMigrationVersion": "8.8.0",
+    "typeMigrationVersion": "10.1.0"
+}
@@ -0,0 +1,28 @@
+{
+    "id": "aws-vpcflow-otel-reject-ip",
+    "type": "alerting_rule_template",
+    "attributes": {
+        "name": "[AWS VPC OTEL] Excessive REJECT actions with single source IP",
+        "tags": ["AWS VPC Logs OpenTelemetry Assets"],
+        "ruleTypeId": ".es-query",
+        "schedule": {
+            "interval": "5m"
+        },
+        "params": {
+            "searchType": "esqlQuery",
+            "timeWindowSize": 10,
+            "timeWindowUnit": "m",
+            "esqlQuery": {
+                "esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 1000 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS reject_count= COUNT(aws.vpc.flow.action == \"REJECT\" OR NULL) BY source.address | WHERE reject_count > 100 | SORT reject_count DESC"
+            },
+            "groupBy": "row",
+            "timeField": "@timestamp"
+        },
+        "alertDelay": {
+            "active": 1
+        }
+    },
+    "managed": true,
+    "coreMigrationVersion": "8.8.0",
+    "typeMigrationVersion": "10.1.0"
+}
@@ -1,7 +1,7 @@
 format_version: 3.5.0
 name: aws_vpcflow_otel
 title: "AWS VPC Flow Logs OpenTelemetry Assets"
-version: 0.1.1
+version: 0.2.0
 source:
   license: "Elastic-2.0"
 description: "AWS VPC Flow Logs OpenTelemetry Assets"