Skip to content

[AWS Content Packs] [OOTB Alerts] Add alerting templates #16750

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Linu-Elias wants to merge 13 commits into
base: main
Choose a base branch
from
Open

[AWS Content Packs] [OOTB Alerts] Add alerting templates #16750

Show file tree
Hide file tree
Changes from 8 commits
Commits
Show all changes
13 commits
Select commit Hold shift + click to select a range
4e63f7a
Alerts
Linu-Elias Jan 2, 2026
a26bc1d
fix IDs
Linu-Elias Jan 2, 2026
34e0b3f
fix IDs
Linu-Elias Jan 2, 2026
83f3fef
changelog
Linu-Elias Jan 4, 2026
d7273e6
add elb alerts
Linu-Elias Jan 5, 2026
e75240e
fix IDs
Linu-Elias Jan 5, 2026
5decaef
fix
Linu-Elias Jan 5, 2026
561461a
Update aws-cloudtrail-otel-multiple-errors-spike.json
Linu-Elias Jan 9, 2026
a475f2a
update names
Linu-Elias Jan 13, 2026
c7e2439
update query
Linu-Elias Jan 16, 2026
220382a
update query
Linu-Elias Jan 19, 2026
0b6c7dd
update query
Linu-Elias Jan 19, 2026
d47c721
update tags
Linu-Elias Jan 21, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions packages/aws_cloudtrail_otel/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "0.2.0"
changes:
- description: Add alerting rule templates
type: enhancement
link: https://github.com/elastic/integrations/pull/16750
- version: "0.1.0"
changes:
- description: Initial draft of the AWS CloudTrail Logs OpenTelemetry Assets package
Expand Down
28 changes: 28 additions & 0 deletions ...udtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-high-security-changes.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"id": "aws-cloudtrail-otel-high-security-changes",
"type": "alerting_rule_template",
"attributes": {
"name": "[AWS CloudTrail OTEL] Excessive high-risk actions succeed",
"tags": ["AWS CloudTrail Logs OpenTelemetry Assets"],
"ruleTypeId": ".es-query",
"schedule": {
"interval": "5m"
},
"params": {
"searchType": "esqlQuery",
"timeWindowSize": 10,
"timeWindowUnit": "m",
"esqlQuery": {
"esql": "// Alert triggers when any high risk actions succeded within a given threshold time from a single user or IP\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method IN (\"StopLogging\", \"DeleteTrail\",\"AttachUserPolicy\", \"AttachRolePolicy\",\"CreateAccessKey\", \"CreateUser\",\"AuthorizeSecurityGroupIngress\",\"DisableKey\", \"ScheduleKeyDeletion\")| STATS change_count = COUNT(*),changes = VALUES(rpc.method) BY user.name, source.address WHERE change_count >= 100 | SORT change_count DESC"
},
"groupBy": "row",
"timeField": "@timestamp"
},
"alertDelay": {
"active": 1
}
},
"managed": true,
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.1.0"
}
28 changes: 28 additions & 0 deletions ...ail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-massive-resource-deletion.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"id": "aws-cloudtrail-otel-massive-resource-deletion",
"type": "alerting_rule_template",
"attributes": {
"name": "[AWS CloudTrail OTEL] Massive resource deletion from same IP",
"tags": ["AWS CloudTrail Logs OpenTelemetry Assets"],
"ruleTypeId": ".es-query",
"schedule": {
"interval": "5m"
},
"params": {
"searchType": "esqlQuery",
"timeWindowSize": 10,
"timeWindowUnit": "m",
"esqlQuery": {
"esql": "// Alert triggers when any source IP address whose delete requests exceed a threshold (e.g. > 1000 in 15 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 15m | WHERE aws.error.code IS NULL | WHERE rpc.method IN (\"TerminateInstances\",\"DeleteBucket\",\"DeleteDBInstance\",\"DeleteFunction\",\"DeleteVolume\",\"DeleteSnapshot\") | STATS deletion_count = COUNT(*) BY user.name, source.address | WHERE deletion_count >= 1000 | SORT deletion_count DESC"
},
"groupBy": "row",
"timeField": "@timestamp"
},
"alertDelay": {
"active": 1
}
},
"managed": true,
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.1.0"
}
28 changes: 28 additions & 0 deletions ...udtrail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-errors-spike.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"id": "aws-cloudtrail-otel-multiple-errors-spike",
"type": "alerting_rule_template",
"attributes": {
"name": "[AWS CloudTrail OTEL] Multiple error spike from same IP",
"tags": ["AWS CloudTrail Logs OpenTelemetry Assets"],
"ruleTypeId": ".es-query",
"schedule": {
"interval": "5m"
},
"params": {
"searchType": "esqlQuery",
"timeWindowSize": 10,
"timeWindowUnit": "m",
"esqlQuery": {
"esql": "// Alert triggers when any source IP address whose error count exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE aws.error.code IS NOT NULL | WHERE @timestamp > NOW()- 10m | STATS error_count = COUNT(*) BY source.address | WHERE error_count >= 100 | SORT error_count DESC"
},
"groupBy": "row",
"timeField": "@timestamp"
},
"alertDelay": {
"active": 1
}
},
"managed": true,
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.1.0"
}
28 changes: 28 additions & 0 deletions ...rail_otel/kibana/alerting_rule_template/aws-cloudtrail-otel-multiple-failed-login-ip.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"id": "aws-cloudtrail-otel-multiple-failed-login-ip",
"type": "alerting_rule_template",
"attributes": {
"name": "[AWS CloudTrail OTEL] Multiple failed login attempts from same IP",
"tags": ["AWS CloudTrail Logs OpenTelemetry Assets"],
"ruleTypeId": ".es-query",
"schedule": {
"interval": "5m"
},
"params": {
"searchType": "esqlQuery",
"timeWindowSize": 10,
"timeWindowUnit": "m",
"esqlQuery": {
"esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.cloudtrail.otel-default | WHERE @timestamp > NOW()- 10m | WHERE rpc.method == \"ConsoleLogin\" | WHERE aws.error.code IS NOT NULL | STATS failed_count = COUNT(*), users_tried = VALUES(user.name) BY source.address | WHERE failed_count >= 100 | SORT failed_count DESC"
},
"groupBy": "row",
"timeField": "@timestamp"
},
"alertDelay": {
"active": 1
}
},
"managed": true,
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.1.0"
}
2 changes: 1 addition & 1 deletion packages/aws_cloudtrail_otel/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.5.0
name: aws_cloudtrail_otel
title: "AWS CloudTrail Logs OpenTelemetry Assets"
version: 0.1.0
version: 0.2.0
source:
license: "Elastic-2.0"
description: "AWS CloudTrail Logs OpenTelemetry Assets"
Expand Down
5 changes: 5 additions & 0 deletions packages/aws_elb_otel/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "0.2.0"
changes:
- description: Add alerting rule templates
type: enhancement
link: https://github.com/elastic/integrations/pull/16750
- version: "0.1.1"
changes:
- description: Add "Alternative setup using awss3receiver" section to README
Expand Down
30 changes: 30 additions & 0 deletions ...s/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-application-level-failures.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
{
"id": "aws-elb-otel-application-level-failures",
"type": "alerting_rule_template",
"attributes": {
"name": "[AWS ELB OTEL] Applicationl level failures",
"tags": [
"AWS Elb Logs OpenTelemetry Assets"
],
"ruleTypeId": ".es-query",
"schedule": {
"interval": "5m"
},
"params": {
"searchType": "esqlQuery",
"timeWindowSize": 10,
"timeWindowUnit": "m",
"esqlQuery": {
"esql": "// Alert triggers when any client IP address whose error count exceed a threshold (e.g. > 50 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE @timestamp > NOW()- 10m | WHERE aws.elb.status.code != 200| STATS error_count = COUNT(*) BY client.address | WHERE error_count >= 50 | SORT error_count DESC"
Copy link
Contributor

@tommyers-elastic tommyers-elastic Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should client errors, e.g. 404, trigger this alert?

},
"groupBy": "row",
"timeField": "@timestamp"
},
"alertDelay": {
"active": 1
}
},
"managed": true,
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.1.0"
}
28 changes: 28 additions & 0 deletions ...ages/aws_elb_otel/kibana/alerting_rule_template/aws-elb-otel-backend-target-failures.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"id": "aws-elb-otel-backend-target-failures",
"type": "alerting_rule_template",
"attributes": {
"name": "[AWS ELB OTEL] Backend target failures",
"tags": ["AWS Elb Logs OpenTelemetry Assets"],
"ruleTypeId": ".es-query",
"schedule": {
"interval": "5m"
},
"params": {
"searchType": "esqlQuery",
"timeWindowSize": 10,
"timeWindowUnit": "m",
"esqlQuery": {
"esql": "// Alert triggers when any source IP address whose backend error count exceed a threshold (e.g. > 100 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.elbaccess.otel-default | WHERE aws.error.code IS NOT NULL | WHERE @timestamp > NOW()- 15m | WHERE aws.elb.backend.status.code != 200| | STATS backend_error_count = COUNT(*), BY cloud.resource_id | WHERE backend_error_count >= 50 | SORT backend_error_count DESC"
},
"groupBy": "row",
"timeField": "@timestamp"
},
"alertDelay": {
"active": 1
}
},
"managed": true,
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.1.0"
}
2 changes: 1 addition & 1 deletion packages/aws_elb_otel/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.5.0
name: aws_elb_otel
title: "AWS ELB OpenTelemetry Assets"
version: 0.1.1
version: 0.2.0
source:
license: "Elastic-2.0"
description: "AWS ELB logs for OpenTelemetry Collector"
Expand Down
5 changes: 5 additions & 0 deletions packages/aws_vpcflow_otel/changelog.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,9 @@
# newer versions go on top
- version: "0.2.0"
changes:
- description: Add alerting rule templates
type: enhancement
link: https://github.com/elastic/integrations/pull/16750
- version: "0.1.1"
changes:
- description: Add "Alternative setup using awss3receiver" section to README
Expand Down
28 changes: 28 additions & 0 deletions ...ws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-massive-data-transfer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"id": "aws-vpcflow-otel-massive-data-transfer",
"type": "alerting_rule_template",
"attributes": {
"name": "[AWS VPC OTEL] Excessive data transfer from a single source",
Copy link
Contributor

@tommyers-elastic tommyers-elastic Jan 13, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[AWS VPC OTEL] doesn't seem very use friendly

can we remove 'OTEL'?

"tags": ["AWS VPC Logs OpenTelemetry Assets"],
"ruleTypeId": ".es-query",
"schedule": {
"interval": "5m"
},
"params": {
"searchType": "esqlQuery",
"timeWindowSize": 10,
"timeWindowUnit": "m",
"esqlQuery": {
"esql": "// Alert triggers when any source IP address whose bytes exceed a threshold (e.g. > 50GB in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS total_bytes = SUM(aws.vpc.flow.bytes) BY source.address | WHERE total_bytes > 53687091200 | SORT total_bytes DESC"
},
"groupBy": "row",
"timeField": "@timestamp"
},
"alertDelay": {
"active": 1
}
},
"managed": true,
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.1.0"
}
28 changes: 28 additions & 0 deletions packages/aws_vpcflow_otel/kibana/alerting_rule_template/aws-vpcflow-otel-reject-ip.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
{
"id": "aws-vpcflow-otel-reject-ip",
"type": "alerting_rule_template",
"attributes": {
"name": "[AWS VPC OTEL] Excessive REJECT actions with single source IP",
"tags": ["AWS VPC Logs OpenTelemetry Assets"],
"ruleTypeId": ".es-query",
"schedule": {
"interval": "5m"
},
"params": {
"searchType": "esqlQuery",
"timeWindowSize": 10,
"timeWindowUnit": "m",
"esqlQuery": {
"esql": "// Alert triggers when any source IP address whose reject requests exceed a threshold (e.g. > 1000 in 10 minutes)\n// You can adjust the threshold value in WHERE clause as needed.\nFROM logs-aws.vpcflow.otel-default | WHERE @timestamp > NOW()- 10m | STATS reject_count= COUNT(aws.vpc.flow.action == \"REJECT\" OR NULL) BY source.address | WHERE reject_count > 100 | SORT reject_count DESC"
},
"groupBy": "row",
"timeField": "@timestamp"
},
"alertDelay": {
"active": 1
}
},
"managed": true,
"coreMigrationVersion": "8.8.0",
"typeMigrationVersion": "10.1.0"
}
2 changes: 1 addition & 1 deletion packages/aws_vpcflow_otel/manifest.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
format_version: 3.5.0
name: aws_vpcflow_otel
title: "AWS VPC Flow Logs OpenTelemetry Assets"
version: 0.1.1
version: 0.2.0
source:
license: "Elastic-2.0"
description: "AWS VPC Flow Logs OpenTelemetry Assets"
Expand Down