I was trying to test some of the prebuilt elastic detection rules with my Beat-Elasticsearch-Kibana setup. All other rules with simple query was working but the rules with event correlation was not working. I tried all possible troubleshooting and research but couldn't get to the conclusion.
Below is the query I was trying to test with required data from winlogbeat, sysmon.
query = '''
registry where event.type in ("creation", "change") and
registry.path : ("HKLM\SYSTEM\ControlSet\Control\Print\Monitors\",
"HLLM\SYSTEM\ControlSet\Control\Print\Environments\Windows\Print Processors\") and
registry.data.strings : ".dll" and
/* exclude SYSTEM SID - look for changes by non-SYSTEM user */
not user.id : "S-1-5-18"
My setup- Winlogbeat-Elasticsearch-Kibana.
Can someone please help here?