
Summary
The Elastic Endgame rule titled "Ransomware - Prevented - Elastic Endgame" is designed to detect and alert on ransomware-related activities that have been successfully prevented by the Elastic Endgame security solution. The rule operates on the basis of detecting specific events marked as alerts from the Endgame module, specifically focusing on prevention actions related to ransomware. The rule is set to evaluate the logs from the last 15 minutes, checking for any events where ransomware activities were identified but blocked. To improve its effectiveness, this rule is configured to generate a higher number of alerts per execution than the default limit provided by the Kibana system settings, ensuring that alerts are captured even when large volumes of events occur swiftly.
Categories
- Endpoint
- Cloud
- Infrastructure
Data Sources
- User Account
- Network Traffic
Created: 2020-02-18