I tried to create a custom detection rule for MITRE ATT&CK T1078 using the json logs as shown in image below:
I upload my log file using " Upload data from a file" integration.
Then, I tried to create simple rule using custom query matching: action is created.
But still I cannot see any alert in alert dashboard
Did I miss something? Thank you for your help in advanced.
Hi @Tee55 !
There are a number of possible issues here, but we can try to work through them to identify the root cause:
Is your rule looking at the correct time window that contains the action: created document in question? It looks like the document has a @timestamp from June, but rules by default usually only look at the last few minutes' worth of data.
Are your mappings correct? I noticed that you had some errors in the Rule Preview pane, which may be indicating a problem with your data.
If neither of the above is fruitful, sharing:
Would likely provide enough information for next steps.
Hey @Tee55 ! Were you able to find a solution? We'd love to hear about it! If not, please let us know how we can help further. Thanks!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
