[Meta] Update rules to account for Elastic Agent logs index #255
Description
Description
If using the Elastic Agent, the events go into the logs-* index. All rule types that also have an Agent integration (example - AWS) will need to be updated/reviewed to ensure they work correctly with a standalone beat and the Elastic Agent index pattern. For the AWS example, need to add logs-aws* to each rule.
Roadmap - https://github.com/elastic/security-team/issues/224 and https://github.com/elastic/siem-team/issues/767
Review rule types
For 7.10
- AWS
Agent integration: yes
PR (if applicable): [Rule Tuning] Update AWS rules to account for Agent index #256 - Okta
Agent integration: yes in 7.10
PR (if applicable): [Rule Tuning] Update Okta rules to include Agent index pattern #295
For 7.11
- GCP
Agent integration:
PR (if applicable): n/a - Linux
Agent integration:
PR (if applicable): - O365
Agent integration:
PR (if applicable): [Rule Tuning] Update rules for new Fleet integrations #729 - GSuite
Agent integration:
PR (if applicable): - Azure
Agent integration:
PR (if applicable): [Rule Tuning] Update rules for new Fleet integrations #729
For 7.12
- Windows integration
index:logs-windows.*
PR: [Rule Tuning] Add windows integration index to rules #923
TBD
- Cross-platform
Agent integration:
PR (if applicable): - Network
Agent integration:
PR (if applicable): - ML Jobs
PR (if applicable):
Example
index = ["filebeat-*", "logs-aws*"]
