27 default Elastic Security rules contain definitions to non-existant indices and are broken

@finbarr996 - apologies for the delay in response.

The Security Endpoint will create these data streams for you in any tier, but there first needs to be deployed Endpoints streaming the appropriate data.

If you have deployed Endpoints, you're likely already streaming in many different types of Events and Metrics so you should see several existing data streams with the logs-endpoint* and metrics-endpoint* prefixes. You likely do not see the logs-endpoint.alerts-* data stream created because the Security Endpoints have not detected any malicious activity on your hosts, yet.

One way to generate an alert for testing (and to create the data stream) is to download an EICAR test file on to one of your hosts. When you access the file the Security Endpoint will generate an alert and stream it to ES. Then the logs-endpoint.alerts-* data stream will be created and the warning in the original rule will go away.

The default Endpoint Security rule that references logs-endpoint.alerts-* is the key rule that will promote Endpoint Security alerts so that they show up in your Alerts list. Be sure to re-enable it when using the EICAR file above.

Let me know if this helps or you have additional questions.

1 Like