Cannot view alerted log in security alert

I tried to create a custom detection rule for MITRE ATT&CK T1078 using the json logs as shown in image below:

Screenshot 2024-10-10 1315231654×964 138 KB

I upload my log file using " Upload data from a file" integration.

Then, I tried to create simple rule using custom query matching: action is created.

But still I cannot see any alert in alert dashboard

Did I miss something? Thank you for your help in advanced.

This image show my simple rule using custom query matching: action is created

Screenshot 2024-10-10 1317301638×957 119 KB

This image show my alert dashboard that I cannot see any alert.

Screenshot 2024-10-10 1319031627×838 64.7 KB

Hi @Tee55 !

There are a number of possible issues here, but we can try to work through them to identify the root cause:

1. Is your rule looking at the correct time window that contains the action: created document in question? It looks like the document has a @timestamp from June, but rules by default usually only look at the last few minutes' worth of data.

2. Are your mappings correct? I noticed that you had some errors in the Rule Preview pane, which may be indicating a problem with your data.

3. If neither of the above is fruitful, sharing:

   • the relevant fields of the document you expect to be alerted on,
   • the target index (containing the above document)'s mappings, and
   • the full rule definition (which can be obtained by exporting the rule)

   Would likely provide enough information for next steps.

Hey @Tee55 ! Were you able to find a solution? We'd love to hear about it! If not, please let us know how we can help further. Thanks!