Security Generate Security Sample Data
Populate Elastic Security with package-specific events and multi-step attack scenarios so solo builders can test detections and dashboards without production traffic.
Overview
Security Generate Security Sample Data is an agent skill for the Ship phase that documents how to generate Elastic Security sample events and correlated attack scenarios for detection and dashboard testing.
Install
npx skills add https://github.com/elastic/agent-skills --skill security-generate-security-sample-dataWhat is this skill?
- Generates events for five packages: system, endpoint, windows, aws, and okta
- Ships correlated attack simulation scenarios indexed for Discover and dashboards
- Maps scenario fields to patterns targeted by prebuilt detection rules
- Uses RFC 5737 and RFC 2606 safe addresses to avoid accidental real-world alerts
- Documents event tables and attack chains via sample-data.js reference material
- 5 supported packages: system, endpoint, windows, aws, okta
- Attack scenarios include correlated multi-step chains aligned to prebuilt rules
Adoption & trust: 985 installs on skills.sh; 502 GitHub stars; 3/3 security scanners passed (skills.sh audits).
What problem does it solve?
You are configuring Elastic Security but have no realistic, rule-aligned event volume to exercise dashboards, Discover, and prebuilt detections.
Who is it for?
Indie builders or small teams bootstrapping Elastic Security labs, rule QA, or demo environments without touching production identities or networks.
Skip if: Teams that already ingest sufficient production telemetry or only need non-security Elastic stack features without SIEM validation.
When should I use this skill?
You need Elastic Security sample events or attack simulation scenarios for dashboards, Discover, or rule validation using the documented sample-data reference.
What do I get? / Deliverables
You get package-specific synthetic events and multi-step attack chains safe for staging, indexed into standard data streams that resemble real detection targets.
- Indexed synthetic security events per package type
- Correlated attack-scenario event sequences for rule and dashboard testing
Recommended Skills
Journey fit
Synthetic security telemetry is created to validate rules and observability before or alongside production rollout, which maps to the ship-phase security shelf. The skill targets detection-rule realism, correlated attack chains, and safe RFC 5737 addresses—core pre-launch security validation work, not generic backend coding.
How it compares
Use for documented synthetic SIEM datasets instead of ad-hoc one-off JSON blobs or copying sensitive production logs into dev.
Common Questions / FAQ
Who is security-generate-security-sample-data for?
Solo builders and small teams using Elastic Security who need realistic log and attack-chain data to test rules, dashboards, and Discover without production traffic.
When should I use security-generate-security-sample-data?
During ship-phase security work when standing up or hardening Elastic Security: after integrations exist but before you trust detections in production, or whenever you need correlated scenarios for windows, endpoint, AWS, or Okta streams.
Is security-generate-security-sample-data safe to install?
Review the Security Audits panel on this Prism page and treat any script execution in your Elastic environment under your normal change controls; the skill itself documents safe synthetic addressing, not live threat intel.
SKILL.md
READMESKILL.md - Security Generate Security Sample Data
# Sample Data Reference Detailed tables for events, attack scenarios, and synthetic alerts generated by `sample-data.js`. ## Supported packages | Package | Event types generated | | ---------- | ----------------------------------------------------- | | `system` | SSH auth success/failure, process start, syslog | | `endpoint` | Process exec, network connection, file creation | | `windows` | Logon 4624/4625, process creation 4688 | | `aws` | CloudTrail: ConsoleLogin, AssumeRole, API calls | | `okta` | Session start, MFA auth, account lock/password change | All events use RFC 5737 / RFC 2606 safe addresses to avoid triggering real security alerts. ## Attack simulation scenarios Correlated, multi-step event sequences that mirror real-world attack chains. Events are indexed into standard data streams with field values that resemble patterns targeted by prebuilt detection rules, providing realistic log activity for dashboards and Discover. | Scenario | Attack chain | Rules targeted | | ------------------------- | ------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------- | | `windowsCredentialAccess` | Failed logins, success, encoded PowerShell, scheduled task, LSASS dump, SAM export | Credential Dumping, Suspicious PowerShell, Scheduled Task Persistence | | `awsIAMEscalation` | Console login without MFA, create IAM user, attach admin policy, create access keys, turn off trail | AWS Console Login Without MFA, IAM Privilege Escalation, CloudTrail Logging Off | | `oktaAccountTakeover` | 10 failed logins, 5 MFA push rejections, successful login, admin role grant, policy modification | Okta Brute Force, MFA Bombing, Admin Role Assigned | | `ransomwareChain` | Phishing macro, encoded PowerShell, LSASS dump, C2 beacon, shadow copy deletion, file encryption, ransom note | Macro Execution, LSASS Dump, C2 Beacon, Volume Shadow Copy Deletion, Ransomware | ## Synthetic alert scenarios Alert documents indexed directly into `.alerts-security.alerts-default` with MITRE ATT&CK mappings, risk scores, and severity levels. These power Attack Discovery without waiting for detection rules to fire. | Alert scenario | Alerts generated | Severities | | ------------------------ | ------------------------------------------------------------------------------------------ | ------------------------------------------------------ | | `credentialAccessAlerts` | Windows brute force, encoded PowerShell, scheduled task, LSASS dump, SAM export | high, high, medium, critical, critical | | `awsEscalationAlerts` | Console login without MFA, IAM user created, admin policy attached, CloudTrail turned off | high, medium, critical, critical | | `oktaTakeoverAlerts` | Brute force, MFA bombing, admin role grant, policy modification | high, high, critical, high | | `ransomwareAlerts` | Macro execution, C2 beacon, LSASS dump, shadow copy deletion, file encryption, ransom note | high, critical, critical, critical, critical, critical | #!/usr/bin/env node /** * Zero-friction sample data runner. * * Usage: * node demo-walkthrough.js # Generate everything once * node demo-walkthrough.js --continuous # Keep streaming events * node demo-walkthrough.js --cleanup # Remove all sample data */ import { exec } fro