Cannot view alerted log in security alert

I tried to create a custom detection rule for MITRE ATT&CK T1078 using the json logs as shown in image below:

I upload my log file using " Upload data from a file" integration.

Then, I tried to create simple rule using custom query matching: action is created.

But still I cannot see any alert in alert dashboard

Did I miss something? Thank you for your help in advanced.

This image show my simple rule using custom query matching: action is created

This image show my alert dashboard that I cannot see any alert.

Hi @Tee55 !

There are a number of possible issues here, but we can try to work through them to identify the root cause:

  1. Is your rule looking at the correct time window that contains the action: created document in question? It looks like the document has a @timestamp from June, but rules by default usually only look at the last few minutes' worth of data.

  2. Are your mappings correct? I noticed that you had some errors in the Rule Preview pane, which may be indicating a problem with your data.

  3. If neither of the above is fruitful, sharing:

    • the relevant fields of the document you expect to be alerted on,
    • the target index (containing the above document)'s mappings, and
    • the full rule definition (which can be obtained by exporting the rule)

    Would likely provide enough information for next steps.

Hey @Tee55 ! Were you able to find a solution? We'd love to hear about it! If not, please let us know how we can help further. Thanks!