Alert Rules - doesn't seem to process query

Elastic Stack Kibana
1

Hi

I have some basic alerts configured to alert when log sources stop sending. One example is monitoring logs from a number of firewalls; I simply want an alert if one fails to generate logs.

I have created the following - the logic is simple. Look for all logs with the event.module : [vendor]_firewall. Then group by observer.name. The problem is that the first part, as shown matches logs with an observer.name of WindowsDefenderAv which, as the name suggests is Windows Defender logs.

image
image467×464 30.5 KB

If I search in Discover, any events with the observer.name : WindowsDefenderAv have an event.module of microsoft_defender_endpoint. This makes sense and does not match the query in the rule. Why is this matching and generating alerts? It this a bug where the query at the top is being ignored? Or am I missing something...

image
image1169×306 25.9 KB

Thanks

2

Are you using the same data view?

3

When I go to Discover, I don't have a data view named Default but that is likely from me renaming them in the past - I can't remember.

Default, as defined in the rule includes logs-* and the data view I am using is All Logs which is also logs-* so yes, I am looking at the same data.

I don't seem to be able to edit the data view in the rule - that would simplify things as I have a data view for each main log type

Thanks