27 default Elastic Security rules contain definitions to non-existant indices and are broken

Elastic Security
1

Hi there,
As an example, the Elastic supplied default 'Endpoint Security' rule contains a hard coded definition to the index pattern 'logs-endpoint.alerts-*' however, this index pattern does not exist and so this rule generates a warning.

I believe the rule should reference 'logs-endpoint.events.*'.
I created a duplicate rule and called it 'Endpoint Security Events' and referenced this index and it seems to work well.

There are a total of 27 rules which exhibit this type of warning, and therefore don't work, which is pretty worrying given they are the default supplied rules which ship with the product.

This problem exists in 8.1.2 and 8.1.3.

1 Like
2

I think the best you can do is create an issue on the Github repository it will then be picked up by the maintainers

3

Digging in to this a bit more it may be the case that these indices don't get created by Endpoint in the free tier, although the documentation is vague about this.

If someone from Elastic could verify this, it would be helpful.

4

@finbarr996 - apologies for the delay in response.

The Security Endpoint will create these data streams for you in any tier, but there first needs to be deployed Endpoints streaming the appropriate data.

If you have deployed Endpoints, you're likely already streaming in many different types of Events and Metrics so you should see several existing data streams with the logs-endpoint* and metrics-endpoint* prefixes. You likely do not see the logs-endpoint.alerts-* data stream created because the Security Endpoints have not detected any malicious activity on your hosts, yet.

One way to generate an alert for testing (and to create the data stream) is to download an EICAR test file on to one of your hosts. When you access the file the Security Endpoint will generate an alert and stream it to ES. Then the logs-endpoint.alerts-* data stream will be created and the warning in the original rule will go away.

The default Endpoint Security rule that references logs-endpoint.alerts-* is the key rule that will promote Endpoint Security alerts so that they show up in your Alerts list. Be sure to re-enable it when using the EICAR file above.

Let me know if this helps or you have additional questions.

1 Like
5

Hi Kevin,
Thank you for your really conprehensive and helpful answer!
The test worked and the index has been created. :slight_smile:

Kind regards,
John.

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.