From 4e63f7aecd60814551cb48464f5f233f180f1033 Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Fri, 2 Jan 2026 09:48:45 +0530 Subject: [PATCH 01/10] Alerts --- ...cloudtrail-otel-high-security-changes.json | 28 +++++++++++++++++++ ...cloudtrail-otel-multiple-errors-spike.json | 28 +++++++++++++++++++ ...udtrail-otel-multiple-failed-login-ip.json | 28 +++++++++++++++++++ ...aws-cloudtrail-otel-resource-deletion.json | 28 +++++++++++++++++++ .../aws-vpcflow-otel-blocked-ip.json | 28 +++++++++++++++++++ ...ws-vpcflow-otel-massive-data-transfer.json | 28 +++++++++++++++++++ 6 files changed, 168 insertions(+) create mode 100644 packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json create mode 100644 packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json create mode 100644 packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json create mode 100644 packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-resource-deletion.json create mode 100644 packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-blocked-ip.json create mode 100644 packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json new file mode 100644 index 00000000000..728a981e2eb --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-high-security-changes", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CLOUDTRAIL OTEL] Excessive high-risk actions succeed", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any high risk actions succeded within a given threshold time from a single user or IP\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method IN (\"StopLogging\", \"DeleteTrail\",\"AttachUserPolicy\", \"AttachRolePolicy\",\"CreateAccessKey\", \"CreateUser\",\"AuthorizeSecurityGroupIngress\",\"DisableKey\", \"ScheduleKeyDeletion\")| STATS change_count = COUNT(*),changes = VALUES(rpc.method) BY user.name, source.address" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json new file mode 100644 index 00000000000..220359570d3 --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-multiple-errors-spike", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CLOUDTRAIL OTEL] Multiple failed login attempts from same IP", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose error count exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE aws.error.code IS NOT NULL | WHERE @timestamp > NOW()- 10m | STATS error_count = COUNT(*) BY source.address | WHERE error_count >= 100 | SORT error_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json new file mode 100644 index 00000000000..82313b64901 --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-multiple-failed-login-ip", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CLOUDTRAIL OTEL] Multiple failed login attempts from same IP", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method == \"ConsoleLogin\" | WHERE aws.error.code IS NOT NULL | STATS failed_count = COUNT(*), users_tried = VALUES(user.name) BY source.address | WHERE failed_count >= 100 | SORT failed_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-resource-deletion.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-resource-deletion.json new file mode 100644 index 00000000000..23b8b31f65c --- /dev/null +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-resource-deletion.json @@ -0,0 +1,28 @@ +{ + "id": "aws-cloudtrail-otel-multiple-failed-login-ip", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS CLOUDTRAIL OTEL] Multiple failed login attempts from same IP", + "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose delete requests exceed a threshold (e.g. > 1000 in 15 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 15m | WHERE aws.error.code IS NULL | WHERE rpc.method IN (\"TerminateInstances\",\"DeleteBucket\",\"DeleteDBInstance\",\"DeleteFunction\",\"DeleteVolume\",\"DeleteSnapshot\") | STATS deletion_count = COUNT(*) BY user.name, source.address | WHERE deletion_count >= 100 | SORT deletion_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-blocked-ip.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-blocked-ip.json new file mode 100644 index 00000000000..6a004b91ba0 --- /dev/null +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-blocked-ip.json @@ -0,0 +1,28 @@ +{ + "id": "aws-vpcflow-otel-reject-from-ip", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS VPC_FLOW OTEL] Excessive REJECT actions with single source IP", + "tags": ["AWS VPC_FLOW Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 1000 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS reject_count= COUNT(aws.vpc.flow.action == \"REJECT\" OR NULL) BY source.address | WHERE reject_count > 1000 | SORT reject_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json new file mode 100644 index 00000000000..d2332c33ab4 --- /dev/null +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json @@ -0,0 +1,28 @@ +{ + "id": "aws-vpcflow-otel-massive-data-transfer", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS VPC_FLOW OTEL] Excessive data transfer from a single source", + "tags": ["AWS VPC_FLOW Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose bytes exceed a threshold (e.g. > 50GB in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS total_bytes = SUM(aws.vpc.flow.bytes) BY source.address | WHERE total_bytes > 53687091200 | SORT total_bytes DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file From a26bc1d653dda7fe647f2838da5da91c299d51a9 Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Fri, 2 Jan 2026 13:28:00 +0530 Subject: [PATCH 02/10] fix IDs --- .../aws-cloudtrail-otel-multiple-errors-spike.json | 2 +- .../aws-cloudtrail-otel-resource-deletion.json | 4 ++-- ...w-otel-blocked-ip.json => aws-vpcflow-otel-reject-ip.json} | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) rename packages/aws_vpcflow_otel/kibana/alerting_rule_template/{aws-vpcflow-otel-blocked-ip.json => aws-vpcflow-otel-reject-ip.json} (96%) diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json index 220359570d3..7e4061cf308 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json @@ -1,5 +1,5 @@ { - "id": "aws-cloudtrail-multiple-errors-spike", + "id": "aws-cloudtrail-otel-multiple-errors-spike", "type": "alerting_rule_template", "attributes": { "name": "[AWS CLOUDTRAIL OTEL] Multiple failed login attempts from same IP", diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-resource-deletion.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-resource-deletion.json index 23b8b31f65c..cfcc8c59a23 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-resource-deletion.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-resource-deletion.json @@ -1,8 +1,8 @@ { - "id": "aws-cloudtrail-otel-multiple-failed-login-ip", + "id": "aws-cloudtrail-otel-massive-resource-deletion", "type": "alerting_rule_template", "attributes": { - "name": "[AWS CLOUDTRAIL OTEL] Multiple failed login attempts from same IP", + "name": "[AWS CLOUDTRAIL OTEL] Massive resource deletion from same IP", "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-blocked-ip.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json similarity index 96% rename from packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-blocked-ip.json rename to packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json index 6a004b91ba0..892a514c7a5 100644 --- a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-blocked-ip.json +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json @@ -1,5 +1,5 @@ { - "id": "aws-vpcflow-otel-reject-from-ip", + "id": "aws-vpcflow-otel-reject-ip", "type": "alerting_rule_template", "attributes": { "name": "[AWS VPC_FLOW OTEL] Excessive REJECT actions with single source IP", From 34e0b3f2a8f65c04f684e965d0698670c6b49020 Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Fri, 2 Jan 2026 14:11:19 +0530 Subject: [PATCH 03/10] fix IDs --- ....json => aws-cloudtrail-otel-massive-resource-deletion.json} | 0 .../alerting_rule_template/aws-vpcflow-otel-reject-ip.json | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename packages/aws_cloudtrail_otel/kibana/alerting_rule_template/{aws-cloudtrail-otel-resource-deletion.json => aws-cloudtrail-otel-massive-resource-deletion.json} (100%) diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-resource-deletion.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json similarity index 100% rename from packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-resource-deletion.json rename to packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json index 892a514c7a5..0620d9f43d6 100644 --- a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json @@ -13,7 +13,7 @@ "timeWindowSize": 10, "timeWindowUnit": "m", "esqlQuery": { - "esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 1000 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS reject_count= COUNT(aws.vpc.flow.action == \"REJECT\" OR NULL) BY source.address | WHERE reject_count > 1000 | SORT reject_count DESC" + "esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 1000 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS reject_count= COUNT(aws.vpc.flow.action == \"REJECT\" OR NULL) BY source.address | WHERE reject_count > 100 | SORT reject_count DESC" }, "groupBy": "row", "timeField": "@timestamp" From 83f3fef4b85d654a1a057158b5338a58f7af8511 Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Sun, 4 Jan 2026 13:29:45 +0530 Subject: [PATCH 04/10] changelog --- packages/aws_cloudtrail_otel/changelog.yml | 5 +++++ packages/aws_cloudtrail_otel/manifest.yml | 2 +- packages/aws_vpcflow_otel/changelog.yml | 5 +++++ packages/aws_vpcflow_otel/manifest.yml | 2 +- 4 files changed, 12 insertions(+), 2 deletions(-) diff --git a/packages/aws_cloudtrail_otel/changelog.yml b/packages/aws_cloudtrail_otel/changelog.yml index 3c2a5ceb27a..ef411bd133b 100644 --- a/packages/aws_cloudtrail_otel/changelog.yml +++ b/packages/aws_cloudtrail_otel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Add alerting rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/16750 - version: "0.1.0" changes: - description: Initial draft of the AWS CloudTrail Logs OpenTelemetry Assets package diff --git a/packages/aws_cloudtrail_otel/manifest.yml b/packages/aws_cloudtrail_otel/manifest.yml index 8ef91cf6e47..94b995581c1 100644 --- a/packages/aws_cloudtrail_otel/manifest.yml +++ b/packages/aws_cloudtrail_otel/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.5.0 name: aws_cloudtrail_otel title: "AWS CloudTrail Logs OpenTelemetry Assets" -version: 0.1.0 +version: 0.2.0 source: license: "Elastic-2.0" description: "AWS CloudTrail Logs OpenTelemetry Assets" diff --git a/packages/aws_vpcflow_otel/changelog.yml b/packages/aws_vpcflow_otel/changelog.yml index d4896e56806..fdbd5e01c0c 100644 --- a/packages/aws_vpcflow_otel/changelog.yml +++ b/packages/aws_vpcflow_otel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Add alerting rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/16750 - version: "0.1.1" changes: - description: Add "Alternative setup using awss3receiver" section to README diff --git a/packages/aws_vpcflow_otel/manifest.yml b/packages/aws_vpcflow_otel/manifest.yml index cd6bbf52eb3..b25c38d298d 100644 --- a/packages/aws_vpcflow_otel/manifest.yml +++ b/packages/aws_vpcflow_otel/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.5.0 name: aws_vpcflow_otel title: "AWS VPC Flow Logs OpenTelemetry Assets" -version: 0.1.1 +version: 0.2.0 source: license: "Elastic-2.0" description: "AWS VPC Flow Logs OpenTelemetry Assets" From d7273e677f8297ec8fcae29edae6c7eea74e84b3 Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Mon, 5 Jan 2026 17:22:18 +0530 Subject: [PATCH 05/10] add elb alerts --- ...cloudtrail-otel-high-security-changes.json | 2 +- ...dtrail-otel-massive-resource-deletion.json | 2 +- ...cloudtrail-otel-multiple-errors-spike.json | 2 +- ...udtrail-otel-multiple-failed-login-ip.json | 2 +- packages/aws_elb_otel/changelog.yml | 5 ++++ ...s-elb-otel-application-level-failures.json | 30 +++++++++++++++++++ .../aws-elb-otel-backend-target-failures.json | 28 +++++++++++++++++ packages/aws_elb_otel/manifest.yml | 2 +- ...ws-vpcflow-otel-massive-data-transfer.json | 4 +-- .../aws-vpcflow-otel-reject-ip.json | 4 +-- 10 files changed, 72 insertions(+), 9 deletions(-) create mode 100644 packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json create mode 100644 packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json index 728a981e2eb..5c4baf2ff79 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json @@ -2,7 +2,7 @@ "id": "aws-cloudtrail-otel-high-security-changes", "type": "alerting_rule_template", "attributes": { - "name": "[AWS CLOUDTRAIL OTEL] Excessive high-risk actions succeed", + "name": "[AWS CloudTrail OTEL] Excessive high-risk actions succeed", "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json index cfcc8c59a23..9aa8302e9ec 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json @@ -2,7 +2,7 @@ "id": "aws-cloudtrail-otel-massive-resource-deletion", "type": "alerting_rule_template", "attributes": { - "name": "[AWS CLOUDTRAIL OTEL] Massive resource deletion from same IP", + "name": "[AWS CloudTrail OTEL] Massive resource deletion from same IP", "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json index 7e4061cf308..68914068b81 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json @@ -2,7 +2,7 @@ "id": "aws-cloudtrail-otel-multiple-errors-spike", "type": "alerting_rule_template", "attributes": { - "name": "[AWS CLOUDTRAIL OTEL] Multiple failed login attempts from same IP", + "name": "[AWS CloudTrail OTEL] Multiple failed login attempts from same IP", "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json index 82313b64901..186abac80b0 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json @@ -2,7 +2,7 @@ "id": "aws-cloudtrail-otel-multiple-failed-login-ip", "type": "alerting_rule_template", "attributes": { - "name": "[AWS CLOUDTRAIL OTEL] Multiple failed login attempts from same IP", + "name": "[AWS CloudTrail OTEL] Multiple failed login attempts from same IP", "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_elb_otel/changelog.yml b/packages/aws_elb_otel/changelog.yml index 1baaa93a2d2..65395a85f46 100644 --- a/packages/aws_elb_otel/changelog.yml +++ b/packages/aws_elb_otel/changelog.yml @@ -1,4 +1,9 @@ # newer versions go on top +- version: "0.2.0" + changes: + - description: Add alerting rule templates + type: enhancement + link: https://github.com/elastic/integrations/pull/16750 - version: "0.1.1" changes: - description: Add "Alternative setup using awss3receiver" section to README diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json new file mode 100644 index 00000000000..44aec1a8287 --- /dev/null +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json @@ -0,0 +1,30 @@ +{ + "id": "aws-elb-otel-application-levl-failures", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS ELB OTEL] Application Level Failures", + "tags": [ + "AWS Elb Logs OpenTelemetry Assets" + ], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any client IP address whose error count exceed a threshold (e.g. > 50 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE @timestamp > NOW()- 10m | WHERE aws.elb.status.code != 200| STATS error_count = COUNT(*) BY client.address | WHERE error_count >= 50 | SORT error_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json new file mode 100644 index 00000000000..697b843eaa6 --- /dev/null +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json @@ -0,0 +1,28 @@ +{ + "id": "aws-elb-backend-target-failures", + "type": "alerting_rule_template", + "attributes": { + "name": "[AWS ELB OTEL] Backend target failures", + "tags": ["AWS Elb Logs OpenTelemetry Assets"], + "ruleTypeId": ".es-query", + "schedule": { + "interval": "5m" + }, + "params": { + "searchType": "esqlQuery", + "timeWindowSize": 10, + "timeWindowUnit": "m", + "esqlQuery": { + "esql": "// Alert triggers when any source IP address whose backend error count exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE aws.error.code IS NOT NULL | WHERE @timestamp > NOW()- 15m | WHERE aws.elb.backend.status.code != 200| | STATS backend_error_count = COUNT(*), BY cloud.resource_id | WHERE backend_error_count >= 50 | SORT backend_error_count DESC" + }, + "groupBy": "row", + "timeField": "@timestamp" + }, + "alertDelay": { + "active": 1 + } + }, + "managed": true, + "coreMigrationVersion": "8.8.0", + "typeMigrationVersion": "10.1.0" +} \ No newline at end of file diff --git a/packages/aws_elb_otel/manifest.yml b/packages/aws_elb_otel/manifest.yml index 08b09fc13af..1a28e9ced76 100644 --- a/packages/aws_elb_otel/manifest.yml +++ b/packages/aws_elb_otel/manifest.yml @@ -1,7 +1,7 @@ format_version: 3.5.0 name: aws_elb_otel title: "AWS ELB OpenTelemetry Assets" -version: 0.1.1 +version: 0.2.0 source: license: "Elastic-2.0" description: "AWS ELB logs for OpenTelemetry Collector" diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json index d2332c33ab4..78226232639 100644 --- a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json @@ -2,8 +2,8 @@ "id": "aws-vpcflow-otel-massive-data-transfer", "type": "alerting_rule_template", "attributes": { - "name": "[AWS VPC_FLOW OTEL] Excessive data transfer from a single source", - "tags": ["AWS VPC_FLOW Logs OpenTelemetry Assets"], + "name": "[AWS VPC OTEL] Excessive data transfer from a single source", + "tags": ["AWS VPC Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { "interval": "5m" diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json index 0620d9f43d6..399f35735e0 100644 --- a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json @@ -2,8 +2,8 @@ "id": "aws-vpcflow-otel-reject-ip", "type": "alerting_rule_template", "attributes": { - "name": "[AWS VPC_FLOW OTEL] Excessive REJECT actions with single source IP", - "tags": ["AWS VPC_FLOW Logs OpenTelemetry Assets"], + "name": "[AWS VPC OTEL] Excessive REJECT actions with single source IP", + "tags": ["AWS VPC Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { "interval": "5m" From e75240e69bae7175b095c7d9a2fe94e8f5d5bb85 Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Mon, 5 Jan 2026 17:42:36 +0530 Subject: [PATCH 06/10] fix IDs --- .../aws-elb-otel-application-level-failures.json | 2 +- .../aws-elb-otel-backend-target-failures.json | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json index 44aec1a8287..04adae54a06 100644 --- a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json @@ -1,5 +1,5 @@ { - "id": "aws-elb-otel-application-levl-failures", + "id": "aws-elb-otel-application-level-failures", "type": "alerting_rule_template", "attributes": { "name": "[AWS ELB OTEL] Application Level Failures", diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json index 697b843eaa6..4837bc07a19 100644 --- a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json @@ -1,5 +1,5 @@ { - "id": "aws-elb-backend-target-failures", + "id": "aws-elb-otel-backend-target-failures", "type": "alerting_rule_template", "attributes": { "name": "[AWS ELB OTEL] Backend target failures", From 5decaef2c0586267d402ab6e205847b3abe72e0f Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Tue, 6 Jan 2026 00:12:15 +0530 Subject: [PATCH 07/10] fix --- .../aws-cloudtrail-otel-high-security-changes.json | 2 +- .../aws-cloudtrail-otel-massive-resource-deletion.json | 2 +- .../aws-elb-otel-application-level-failures.json | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json index 5c4baf2ff79..daacade3067 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json @@ -13,7 +13,7 @@ "timeWindowSize": 10, "timeWindowUnit": "m", "esqlQuery": { - "esql": "// Alert triggers when any high risk actions succeded within a given threshold time from a single user or IP\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method IN (\"StopLogging\", \"DeleteTrail\",\"AttachUserPolicy\", \"AttachRolePolicy\",\"CreateAccessKey\", \"CreateUser\",\"AuthorizeSecurityGroupIngress\",\"DisableKey\", \"ScheduleKeyDeletion\")| STATS change_count = COUNT(*),changes = VALUES(rpc.method) BY user.name, source.address" + "esql": "// Alert triggers when any high risk actions succeded within a given threshold time from a single user or IP\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method IN (\"StopLogging\", \"DeleteTrail\",\"AttachUserPolicy\", \"AttachRolePolicy\",\"CreateAccessKey\", \"CreateUser\",\"AuthorizeSecurityGroupIngress\",\"DisableKey\", \"ScheduleKeyDeletion\")| STATS change_count = COUNT(*),changes = VALUES(rpc.method) BY user.name, source.address WHERE change_count >= 100 | SORT change_count DESC" }, "groupBy": "row", "timeField": "@timestamp" diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json index 9aa8302e9ec..2bd7765ee79 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json @@ -13,7 +13,7 @@ "timeWindowSize": 10, "timeWindowUnit": "m", "esqlQuery": { - "esql": "// Alert triggers when any source IP address whose delete requests exceed a threshold (e.g. > 1000 in 15 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 15m | WHERE aws.error.code IS NULL | WHERE rpc.method IN (\"TerminateInstances\",\"DeleteBucket\",\"DeleteDBInstance\",\"DeleteFunction\",\"DeleteVolume\",\"DeleteSnapshot\") | STATS deletion_count = COUNT(*) BY user.name, source.address | WHERE deletion_count >= 100 | SORT deletion_count DESC" + "esql": "// Alert triggers when any source IP address whose delete requests exceed a threshold (e.g. > 1000 in 15 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 15m | WHERE aws.error.code IS NULL | WHERE rpc.method IN (\"TerminateInstances\",\"DeleteBucket\",\"DeleteDBInstance\",\"DeleteFunction\",\"DeleteVolume\",\"DeleteSnapshot\") | STATS deletion_count = COUNT(*) BY user.name, source.address | WHERE deletion_count >= 1000 | SORT deletion_count DESC" }, "groupBy": "row", "timeField": "@timestamp" diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json index 04adae54a06..6b2761791f9 100644 --- a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json @@ -2,7 +2,7 @@ "id": "aws-elb-otel-application-level-failures", "type": "alerting_rule_template", "attributes": { - "name": "[AWS ELB OTEL] Application Level Failures", + "name": "[AWS ELB OTEL] Applicationl level failures", "tags": [ "AWS Elb Logs OpenTelemetry Assets" ], From 561461a7404405e79aa825a42e2d7a069c50101e Mon Sep 17 00:00:00 2001 From: Linu-Elias Date: Fri, 9 Jan 2026 13:42:01 +0530 Subject: [PATCH 08/10] Update aws-cloudtrail-otel-multiple-errors-spike.json --- .../aws-cloudtrail-otel-multiple-errors-spike.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json index 68914068b81..c7f9fbd372c 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json @@ -2,7 +2,7 @@ "id": "aws-cloudtrail-otel-multiple-errors-spike", "type": "alerting_rule_template", "attributes": { - "name": "[AWS CloudTrail OTEL] Multiple failed login attempts from same IP", + "name": "[AWS CloudTrail OTEL] Multiple error spike from same IP", "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { @@ -25,4 +25,4 @@ "managed": true, "coreMigrationVersion": "8.8.0", "typeMigrationVersion": "10.1.0" -} \ No newline at end of file +} From a475f2a6af1fd8410b2c2155ecdcc079132e24dc Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Tue, 13 Jan 2026 14:57:42 +0530 Subject: [PATCH 09/10] update names --- ...rs-spike.json => aws-cloudtrail-otel-high-error-rate.json} | 4 ++-- ...n.json => aws-cloudtrail-otel-high-resource-deletion.json} | 4 ++-- ...n => aws-cloudtrail-otel-high-risk-actions-succeeded.json} | 4 ++-- ...> aws-cloudtrail-otel-multiple-failed-login-attempts.json} | 4 ++-- ...vel-failures.json => aws-elb-otel-application-errors.json} | 4 ++-- ...-target-failures.json => aws-elb-otel-backend-errors.json} | 4 ++-- ...fer.json => aws-vpcflow-otel-high-data-transfer-rate.json} | 4 ++-- ...ject-ip.json => aws-vpcflow-otel-high-reject-actions.json} | 4 ++-- 8 files changed, 16 insertions(+), 16 deletions(-) rename packages/aws_cloudtrail_otel/kibana/alerting_rule_template/{aws-cloudtrail-otel-multiple-errors-spike.json => aws-cloudtrail-otel-high-error-rate.json} (88%) rename packages/aws_cloudtrail_otel/kibana/alerting_rule_template/{aws-cloudtrail-otel-massive-resource-deletion.json => aws-cloudtrail-otel-high-resource-deletion.json} (89%) rename packages/aws_cloudtrail_otel/kibana/alerting_rule_template/{aws-cloudtrail-otel-high-security-changes.json => aws-cloudtrail-otel-high-risk-actions-succeeded.json} (89%) rename packages/aws_cloudtrail_otel/kibana/alerting_rule_template/{aws-cloudtrail-otel-multiple-failed-login-ip.json => aws-cloudtrail-otel-multiple-failed-login-attempts.json} (93%) rename packages/aws_elb_otel/kibana/alerting_rule_template/{aws-elb-otel-application-level-failures.json => aws-elb-otel-application-errors.json} (90%) rename packages/aws_elb_otel/kibana/alerting_rule_template/{aws-elb-otel-backend-target-failures.json => aws-elb-otel-backend-errors.json} (91%) rename packages/aws_vpcflow_otel/kibana/alerting_rule_template/{aws-vpcflow-otel-massive-data-transfer.json => aws-vpcflow-otel-high-data-transfer-rate.json} (88%) rename packages/aws_vpcflow_otel/kibana/alerting_rule_template/{aws-vpcflow-otel-reject-ip.json => aws-vpcflow-otel-high-reject-actions.json} (89%) diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-error-rate.json similarity index 88% rename from packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json rename to packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-error-rate.json index c7f9fbd372c..194cb8fa026 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-error-rate.json @@ -1,8 +1,8 @@ { - "id": "aws-cloudtrail-otel-multiple-errors-spike", + "id": "aws-cloudtrail-otel-high-error-rate", "type": "alerting_rule_template", "attributes": { - "name": "[AWS CloudTrail OTEL] Multiple error spike from same IP", + "name": "[AWS CloudTrail OTEL] High error rate", "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-resource-deletion.json similarity index 89% rename from packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json rename to packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-resource-deletion.json index 2bd7765ee79..ca96ee12198 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-resource-deletion.json @@ -1,8 +1,8 @@ { - "id": "aws-cloudtrail-otel-massive-resource-deletion", + "id": "aws-cloudtrail-otel-high-resource-deletion", "type": "alerting_rule_template", "attributes": { - "name": "[AWS CloudTrail OTEL] Massive resource deletion from same IP", + "name": "[AWS CloudTrail OTEL] High resource deletion", "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-risk-actions-succeeded.json similarity index 89% rename from packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json rename to packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-risk-actions-succeeded.json index daacade3067..a99bce9a4a0 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-risk-actions-succeeded.json @@ -1,8 +1,8 @@ { - "id": "aws-cloudtrail-otel-high-security-changes", + "id": "aws-cloudtrail-otel-high-risk-actions-succeeded", "type": "alerting_rule_template", "attributes": { - "name": "[AWS CloudTrail OTEL] Excessive high-risk actions succeed", + "name": "[AWS CloudTrail OTEL] High-risk actions succeeded", "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-attempts.json similarity index 93% rename from packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json rename to packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-attempts.json index 186abac80b0..4349c6208bc 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-attempts.json @@ -1,8 +1,8 @@ { - "id": "aws-cloudtrail-otel-multiple-failed-login-ip", + "id": "aws-cloudtrail-otel-multiple-failed-login-attempts", "type": "alerting_rule_template", "attributes": { - "name": "[AWS CloudTrail OTEL] Multiple failed login attempts from same IP", + "name": "[AWS CloudTrail OTEL] Multiple failed login attempts", "tags": ["AWS CloudTrail Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-errors.json similarity index 90% rename from packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json rename to packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-errors.json index 6b2761791f9..39b8d460112 100644 --- a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-errors.json @@ -1,8 +1,8 @@ { - "id": "aws-elb-otel-application-level-failures", + "id": "aws-elb-otel-application-errors", "type": "alerting_rule_template", "attributes": { - "name": "[AWS ELB OTEL] Applicationl level failures", + "name": "[AWS ELB OTEL] Application errors", "tags": [ "AWS Elb Logs OpenTelemetry Assets" ], diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-errors.json similarity index 91% rename from packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json rename to packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-errors.json index 4837bc07a19..4fc4624c963 100644 --- a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-errors.json @@ -1,8 +1,8 @@ { - "id": "aws-elb-otel-backend-target-failures", + "id": "aws-elb-otel-backend-errors", "type": "alerting_rule_template", "attributes": { - "name": "[AWS ELB OTEL] Backend target failures", + "name": "[AWS ELB OTEL] Backend errors", "tags": ["AWS Elb Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-data-transfer-rate.json similarity index 88% rename from packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json rename to packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-data-transfer-rate.json index 78226232639..41e6209f25b 100644 --- a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-data-transfer-rate.json @@ -1,8 +1,8 @@ { - "id": "aws-vpcflow-otel-massive-data-transfer", + "id": "aws-vpcflow-otel-high-data-transfer-rate", "type": "alerting_rule_template", "attributes": { - "name": "[AWS VPC OTEL] Excessive data transfer from a single source", + "name": "[AWS VPC OTEL] High data transfer rate", "tags": ["AWS VPC Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-reject-actions.json similarity index 89% rename from packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json rename to packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-reject-actions.json index 399f35735e0..6de27a0d6a0 100644 --- a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-reject-actions.json @@ -1,8 +1,8 @@ { - "id": "aws-vpcflow-otel-reject-ip", + "id": "aws-vpcflow-otel-high-reject-actions", "type": "alerting_rule_template", "attributes": { - "name": "[AWS VPC OTEL] Excessive REJECT actions with single source IP", + "name": "[AWS VPC OTEL] High reject actions", "tags": ["AWS VPC Logs OpenTelemetry Assets"], "ruleTypeId": ".es-query", "schedule": { From c7e2439c4ad1a65ac8916bdd0065b13ce2cfb817 Mon Sep 17 00:00:00 2001 From: Linu Elias Date: Fri, 16 Jan 2026 16:51:40 +0530 Subject: [PATCH 10/10] update query --- .../aws-cloudtrail-otel-high-error-rate.json | 2 +- .../aws-cloudtrail-otel-high-resource-deletion.json | 2 +- .../aws-cloudtrail-otel-high-risk-actions-succeeded.json | 2 +- .../alerting_rule_template/aws-elb-otel-application-errors.json | 2 +- .../alerting_rule_template/aws-elb-otel-backend-errors.json | 2 +- .../aws-vpcflow-otel-high-data-transfer-rate.json | 2 +- .../aws-vpcflow-otel-high-reject-actions.json | 2 +- 7 files changed, 7 insertions(+), 7 deletions(-) diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-error-rate.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-error-rate.json index 194cb8fa026..dc876a037cf 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-error-rate.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-error-rate.json @@ -13,7 +13,7 @@ "timeWindowSize": 10, "timeWindowUnit": "m", "esqlQuery": { - "esql": "// Alert triggers when any source IP address whose error count exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE aws.error.code IS NOT NULL | WHERE @timestamp > NOW()- 10m | STATS error_count = COUNT(*) BY source.address | WHERE error_count >= 100 | SORT error_count DESC" + "esql": "// Alert triggers when any source IP address whose critical error count exceed a threshold (e.g. > 5 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default| WHERE aws.error.code IN (\"InvalidClientTokenId\",\"SignatureDoesNotMatch\",\"InvalidAccessKeyId\",\"ExpiredToken\",\"InvalidToken\",\"InvalidPassword\",\"Failed authentication\",\"UnrecognizedClientException\",\"AccessDenied\",\"AccessDeniedException\",\"UnauthorizedOperation\")| STATS error_count = COUNT(*) BY source.address| WHERE error_count > 5" }, "groupBy": "row", "timeField": "@timestamp" diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-resource-deletion.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-resource-deletion.json index ca96ee12198..d197fa53b64 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-resource-deletion.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-resource-deletion.json @@ -13,7 +13,7 @@ "timeWindowSize": 10, "timeWindowUnit": "m", "esqlQuery": { - "esql": "// Alert triggers when any source IP address whose delete requests exceed a threshold (e.g. > 1000 in 15 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 15m | WHERE aws.error.code IS NULL | WHERE rpc.method IN (\"TerminateInstances\",\"DeleteBucket\",\"DeleteDBInstance\",\"DeleteFunction\",\"DeleteVolume\",\"DeleteSnapshot\") | STATS deletion_count = COUNT(*) BY user.name, source.address | WHERE deletion_count >= 1000 | SORT deletion_count DESC" + "esql": "// Alert triggers when any source IP address whose delete requests exceed a threshold (e.g. > 5 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE aws.error.code IS NULL | WHERE rpc.method IN (\"TerminateInstances\",\"DeleteBucket\",\"DeleteDBInstance\",\"DeleteFunction\",\"DeleteVolume\",\"DeleteSnapshot\") | STATS deletion_count = COUNT(*) BY source.address | WHERE deletion_count >= 5" }, "groupBy": "row", "timeField": "@timestamp" diff --git a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-risk-actions-succeeded.json b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-risk-actions-succeeded.json index a99bce9a4a0..c8f2a62e5aa 100644 --- a/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-risk-actions-succeeded.json +++ b/packages/aws_cloudtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-risk-actions-succeeded.json @@ -13,7 +13,7 @@ "timeWindowSize": 10, "timeWindowUnit": "m", "esqlQuery": { - "esql": "// Alert triggers when any high risk actions succeded within a given threshold time from a single user or IP\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method IN (\"StopLogging\", \"DeleteTrail\",\"AttachUserPolicy\", \"AttachRolePolicy\",\"CreateAccessKey\", \"CreateUser\",\"AuthorizeSecurityGroupIngress\",\"DisableKey\", \"ScheduleKeyDeletion\")| STATS change_count = COUNT(*),changes = VALUES(rpc.method) BY user.name, source.address WHERE change_count >= 100 | SORT change_count DESC" + "esql": "// Alert triggers when any high risk actions succeded within a given threshold time from a single user or IP\nFROM logs-aws.cloudtrail.otel-default | WHERE rpc.method IN (\"StopLogging\", \"DeleteTrail\", \"UpdateTrail\", \"AttachUserPolicy\", \"AttachRolePolicy\", \"PutUserPolicy\", \"PutRolePolicy\", \"CreateAccessKey\", \"CreateUser\", \"CreateLoginProfile\", \"DisableKey\", \"ScheduleKeyDeletion\", \"DeleteBucket\", \"PutBucketPolicy\", \"PutBucketLogging\", \"DeleteDetector\", \"DeleteMembers\", \"DisassociateFromMasterAccount\", \"DeleteFlowLogs\", \"DeleteAlarms\", \"DeleteConfigRule\", \"DeleteEventBusRule\") AND aws.error.code IS NULL | STATS action_count = COUNT(*), actions = VALUES(rpc.method), ips = VALUES(source.address) BY aws.principal.arn, user.name | WHERE action_count>1" }, "groupBy": "row", "timeField": "@timestamp" diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-errors.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-errors.json index 39b8d460112..b6ef7933f96 100644 --- a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-errors.json +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-errors.json @@ -15,7 +15,7 @@ "timeWindowSize": 10, "timeWindowUnit": "m", "esqlQuery": { - "esql": "// Alert triggers when any client IP address whose error count exceed a threshold (e.g. > 50 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE @timestamp > NOW()- 10m | WHERE aws.elb.status.code != 200| STATS error_count = COUNT(*) BY client.address | WHERE error_count >= 50 | SORT error_count DESC" + "esql": "// Alert triggers when any client resource.id whose error count exceed a threshold (e.g. 50 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE aws.elb.status.code >= 400| STATS error_count = COUNT(*) BY cloud.resource_id | WHERE error_count >= 50" }, "groupBy": "row", "timeField": "@timestamp" diff --git a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-errors.json b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-errors.json index 4fc4624c963..603ee5a35e9 100644 --- a/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-errors.json +++ b/packages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-errors.json @@ -13,7 +13,7 @@ "timeWindowSize": 10, "timeWindowUnit": "m", "esqlQuery": { - "esql": "// Alert triggers when any source IP address whose backend error count exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE aws.error.code IS NOT NULL | WHERE @timestamp > NOW()- 15m | WHERE aws.elb.backend.status.code != 200| | STATS backend_error_count = COUNT(*), BY cloud.resource_id | WHERE backend_error_count >= 50 | SORT backend_error_count DESC" + "esql": "// Alert triggers when any resource.id whose backend service error count exceed a threshold (e.g. > 50 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE aws.elb.backend.status.code >= 500| STATS backend_error_count = COUNT(*), BY cloud.resource_id | WHERE backend_error_count >= 50" }, "groupBy": "row", "timeField": "@timestamp" diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-data-transfer-rate.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-data-transfer-rate.json index 41e6209f25b..7a1d06bd3fe 100644 --- a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-data-transfer-rate.json +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-data-transfer-rate.json @@ -13,7 +13,7 @@ "timeWindowSize": 10, "timeWindowUnit": "m", "esqlQuery": { - "esql": "// Alert triggers when any source IP address whose bytes exceed a threshold (e.g. > 50GB in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS total_bytes = SUM(aws.vpc.flow.bytes) BY source.address | WHERE total_bytes > 53687091200 | SORT total_bytes DESC" + "esql": "// Alert triggers when any source whose bytes exceed a threshold (e.g. > 50GB in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default| WHERE aws.vpc.flow.action == \"ACCEPT\"| STATS total_bytes = SUM(aws.vpc.flow.bytes) BY network.interface.name| WHERE total_bytes > 53687091200" }, "groupBy": "row", "timeField": "@timestamp" diff --git a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-reject-actions.json b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-reject-actions.json index 6de27a0d6a0..1faa76320ca 100644 --- a/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-reject-actions.json +++ b/packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-high-reject-actions.json @@ -13,7 +13,7 @@ "timeWindowSize": 10, "timeWindowUnit": "m", "esqlQuery": { - "esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 1000 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS reject_count= COUNT(aws.vpc.flow.action == \"REJECT\" OR NULL) BY source.address | WHERE reject_count > 100 | SORT reject_count DESC" + "esql": "// Alert triggers when any source whose reject requests exceed a threshold (e.g. > 1000 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default| WHERE aws.vpc.flow.action == \"REJECT\"| STATS reject_count = COUNT(*) BY network.interface.name| WHERE reject_count > 100" }, "groupBy": "row", "timeField": "@timestamp"