diff --git a/packages/aws_cloudtrail_otel/changelog.yml b/packages/aws_cloudtrail_otel/changelog.yml index 3c2a5ceb27a..ef411bd133b 100644 --- a/packages/aws_cloudtrail_otel/changelog.yml +++ b/packages/aws_cloudtrail_otel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Add alerting rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/16750 - version: "0.1.0" changes: - description: Initial draft of the AWS CloudTrail Logs OpenTelemetry Assets package diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-error-rate.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-error-rate.json new file mode 100644 index 00000000000..dc876a037cf --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-error-rate.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-high-error-rate", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CloudTrail OTEL] High error rate", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose critical error count exceed a threshold (e.g. > 5 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default| WHERE aws.error.code IN (\"InvalidClientTokenId\",\"SignatureDoesNotMatch\",\"InvalidAccessKeyId\",\"ExpiredToken\",\"InvalidToken\",\"InvalidPassword\",\"Failed authentication\",\"UnrecognizedClientException\",\"AccessDenied\",\"AccessDeniedException\",\"UnauthorizedOperation\")| STATS error_count = COUNT(*) BY source.address| WHERE error_count > 5" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-resource-deletion.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-resource-deletion.json new file mode 100644 index 00000000000..d197fa53b64 --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-resource-deletion.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-high-resource-deletion", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CloudTrail OTEL] High resource deletion", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose delete requests exceed a threshold (e.g. > 5 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE aws.error.code IS NULL | WHERE rpc.method IN (\"TerminateInstances\",\"DeleteBucket\",\"DeleteDBInstance\",\"DeleteFunction\",\"DeleteVolume\",\"DeleteSnapshot\") | STATS deletion_count = COUNT(*) BY source.address | WHERE deletion_count >= 5" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-risk-actions-succeeded.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-risk-actions-succeeded.json new file mode 100644 index 00000000000..c8f2a62e5aa --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-risk-actions-succeeded.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-high-risk-actions-succeeded", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CloudTrail OTEL] High-risk actions succeeded", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any high risk actions succeded within a given threshold time from a single user or IP\nFROM logs-aws.cloudtrail.otel-default | WHERE rpc.method IN (\"StopLogging\", \"DeleteTrail\", \"UpdateTrail\", \"AttachUserPolicy\", \"AttachRolePolicy\", \"PutUserPolicy\", \"PutRolePolicy\", \"CreateAccessKey\", \"CreateUser\", \"CreateLoginProfile\", \"DisableKey\", \"ScheduleKeyDeletion\", \"DeleteBucket\", \"PutBucketPolicy\", \"PutBucketLogging\", \"DeleteDetector\", \"DeleteMembers\", \"DisassociateFromMasterAccount\", \"DeleteFlowLogs\", \"DeleteAlarms\", \"DeleteConfigRule\", \"DeleteEventBusRule\") AND aws.error.code IS NULL | STATS action_count = COUNT(*), actions = VALUES(rpc.method), ips = VALUES(source.address) BY aws.principal.arn, user.name | WHERE action_count>1" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-attempts.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-attempts.json new file mode 100644 index 00000000000..4349c6208bc --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-attempts.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-multiple-failed-login-attempts", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CloudTrail OTEL] Multiple failed login attempts", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method == \"ConsoleLogin\" | WHERE aws.error.code IS NOT NULL | STATS failed_count = COUNT(*), users_tried = VALUES(user.name) BY source.address | WHERE failed_count >= 100 | SORT failed_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_cloudtrail_otel/manifest.yml b/packages/aws_cloudtrail_otel/manifest.yml index 8ef91cf6e47..94b995581c1 100644 --- a/packages/aws_cloudtrail_otel/manifest.yml +++ b/packages/aws_cloudtrail_otel/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.5.0 name: aws_cloudtrail_otel title: "AWS CloudTrail Logs OpenTelemetry Assets" -version: 0.1.0 +version: 0.2.0 source: license: "Elastic-2.0" description: "AWS CloudTrail Logs OpenTelemetry Assets" diff --git a/packages/aws_elb_otel/changelog.yml b/packages/aws_elb_otel/changelog.yml index 1baaa93a2d2..65395a85f46 100644 --- a/packages/aws_elb_otel/changelog.yml +++ b/packages/aws_elb_otel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Add alerting rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/16750 - version: "0.1.1" changes: - description: Add "Alternative setup using awss3receiver" section to README diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-errors.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-errors.json new file mode 100644 index 00000000000..b6ef7933f96 --- /dev/null +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-errors.json @@ -0,0 +1,30 @@ +{ + "id": "aws-elb-otel-application-errors", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS ELB OTEL] Application errors", + "tags": [ + "AWS Elb Logs OpenTelemetry Assets" + ], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any client resource.id whose error count exceed a threshold (e.g. 50 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE aws.elb.status.code >= 400| STATS error_count = COUNT(*) BY cloud.resource_id | WHERE error_count >= 50" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-errors.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-errors.json new file mode 100644 index 00000000000..603ee5a35e9 --- /dev/null +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-errors.json @@ -0,0 +1,28 @@ +{ + "id": "aws-elb-otel-backend-errors", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS ELB OTEL] Backend errors", + "tags": ["AWS Elb Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any resource.id whose backend service error count exceed a threshold (e.g. > 50 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE aws.elb.backend.status.code >= 500| STATS backend_error_count = COUNT(*), BY cloud.resource_id | WHERE backend_error_count >= 50" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_elb_otel/manifest.yml b/packages/aws_elb_otel/manifest.yml index 08b09fc13af..1a28e9ced76 100644 --- a/packages/aws_elb_otel/manifest.yml +++ b/packages/aws_elb_otel/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.5.0 name: aws_elb_otel title: "AWS ELB OpenTelemetry Assets" -version: 0.1.1 +version: 0.2.0 source: license: "Elastic-2.0" description: "AWS ELB logs for OpenTelemetry Collector" diff --git a/packages/aws_vpcflow_otel/changelog.yml b/packages/aws_vpcflow_otel/changelog.yml index d4896e56806..fdbd5e01c0c 100644 --- a/packages/aws_vpcflow_otel/changelog.yml +++ b/packages/aws_vpcflow_otel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Add alerting rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/16750 - version: "0.1.1" changes: - description: Add "Alternative setup using awss3receiver" section to README diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-data-transfer-rate.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-data-transfer-rate.json new file mode 100644 index 00000000000..7a1d06bd3fe --- /dev/null +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-data-transfer-rate.json @@ -0,0 +1,28 @@ +{ + "id": "aws-vpcflow-otel-high-data-transfer-rate", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS VPC OTEL] High data transfer rate", + "tags": ["AWS VPC Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source whose bytes exceed a threshold (e.g. > 50GB in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default| WHERE aws.vpc.flow.action == \"ACCEPT\"| STATS total_bytes = SUM(aws.vpc.flow.bytes) BY network.interface.name| WHERE total_bytes > 53687091200" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-reject-actions.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-reject-actions.json new file mode 100644 index 00000000000..1faa76320ca --- /dev/null +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-reject-actions.json @@ -0,0 +1,28 @@ +{ + "id": "aws-vpcflow-otel-high-reject-actions", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS VPC OTEL] High reject actions", + "tags": ["AWS VPC Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source whose reject requests exceed a threshold (e.g. > 1000 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default| WHERE aws.vpc.flow.action == \"REJECT\"| STATS reject_count = COUNT(*) BY network.interface.name| WHERE reject_count > 100" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_vpcflow_otel/manifest.yml b/packages/aws_vpcflow_otel/manifest.yml index cd6bbf52eb3..b25c38d298d 100644 --- a/packages/aws_vpcflow_otel/manifest.yml +++ b/packages/aws_vpcflow_otel/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.5.0 name: aws_vpcflow_otel title: "AWS VPC Flow Logs OpenTelemetry Assets" -version: 0.1.1 +version: 0.2.0 source: license: "Elastic-2.0" description: "AWS VPC Flow Logs OpenTelemetry Assets"