I created a custom detection rule which is just a query for failed logins (event.code : "4625")
I have pointed it to the index pattern and I can see the output on preview results as well.
After enabling the rule there is no alert is creating even though there are failed logins.
There is No execution result, not showing any next run time or success percentage.
I'm Stuck with this for a week. Please help
Hey there @Sajith, thanks for posting!
So if your Rule Preview is showing results, but your actual rule execution isn't finding anything there's a good chance it's a timing issue as that's really the only difference between the preview feature and actual rule executions.
The Rule Preview defaults to last hour for its query window, and the Rule default interval/lookback will be 5m/1m unless you changed it. Can you please confirm your Rule schedule time and see if that resolves the issue?
In the case that doesn't resolve your issue, can you please provide your stack version, and an export of your Rule (with PII redacted of course)?
Thanks!
Garrett
One more thing... when you say
There is No execution result, not showing any next run time or success percentage
Is this on the main rules table or within the Rule Details Execution Results tab? If you could share a screenshot of that table as well, that would be helpful in further debugging. There should be an entry for each rule execution, even if it wasn't successful or found no alerts.
E.g.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
