External Alertsedit

Generates a detection alert for each external alert written to the configured indices. Enabling this rule allows you to immediately begin investigating external alerts in the app.

Rule type: query

Rule indices:

  • apm--transaction
  • traces-apm*
  • auditbeat-*
  • filebeat-*
  • logs-*
  • packetbeat-*
  • winlogbeat-*

Severity: medium

Risk score: 47

Runs every: 5m

Searches indices from: None (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 10000

References: None


  • OS: Windows
  • Data Source: APM
  • OS: macOS
  • OS: Linux

Version: 102

Rule authors:

  • Elastic

Rule license: Elastic License v2

Rule queryedit

event.kind:alert and not event.module:(endgame or endpoint or cloud_defend)