Alert Rules - doesn't seem to process query

PhilA · October 25, 2024, 2:24pm

Hi

I have some basic alerts configured to alert when log sources stop sending. One example is monitoring logs from a number of firewalls; I simply want an alert if one fails to generate logs.

I have created the following - the logic is simple. Look for all logs with the event.module : [vendor]_firewall. Then group by observer.name. The problem is that the first part, as shown matches logs with an observer.name of WindowsDefenderAv which, as the name suggests is Windows Defender logs.

If I search in Discover, any events with the observer.name : WindowsDefenderAv have an event.module of microsoft_defender_endpoint. This makes sense and does not match the query in the rule. Why is this matching and generating alerts? It this a bug where the query at the top is being ignored? Or am I missing something...

Thanks

ahmed_charafouddine · October 25, 2024, 2:37pm

Are you using the same data view?

PhilA · October 26, 2024, 5:45am

When I go to Discover, I don't have a data view named Default but that is likely from me renaming them in the past - I can't remember.

Default, as defined in the rule includes logs-* and the data view I am using is All Logs which is also logs-* so yes, I am looking at the same data.

I don't seem to be able to edit the data view in the rule - that would simplify things as I have a data view for each main log type

Thanks

Topic		Replies	Views
Problem with Detections - Custom query rule SIEM	10	674	September 8, 2022
Rules not triggering alerts Elastic Security detection-rules	6	3153	October 19, 2021
Help with my Query :) Kibana	3	123	February 29, 2024
How can be use the alerting for a data query Kibana	2	256	May 4, 2023
Security Detection exception MATCHES not working properly Elastic Security detection-rules	3	279	April 23, 2024

Alert Rules - doesn't seem to process query

Related Topics