Cannot view alerted log in security alert

I tried to create a custom detection rule for MITRE ATT&CK T1078 using the json logs as shown in image below:

I upload my log file using " Upload data from a file" integration.

Then, I tried to create simple rule using custom query matching: action is created.

But still I cannot see any alert in alert dashboard

Did I miss something? Thank you for your help in advanced.

This image show my simple rule using custom query matching: action is created

This image show my alert dashboard that I cannot see any alert.

Hi @Tee55 !

There are a number of possible issues here, but we can try to work through them to identify the root cause:

  1. Is your rule looking at the correct time window that contains the action: created document in question? It looks like the document has a @timestamp from June, but rules by default usually only look at the last few minutes' worth of data.

  2. Are your mappings correct? I noticed that you had some errors in the Rule Preview pane, which may be indicating a problem with your data.

  3. If neither of the above is fruitful, sharing:

    • the relevant fields of the document you expect to be alerted on,
    • the target index (containing the above document)'s mappings, and
    • the full rule definition (which can be obtained by exporting the rule)

    Would likely provide enough information for next steps.

1 Like

Hey @Tee55 ! Were you able to find a solution? We'd love to hear about it! If not, please let us know how we can help further. Thanks!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.