Hi, I'm testing datastreams right now and observed that default detection rules are not looking logs from my datastreams indices. Do I have to manually change all default rules (and new ones added by updates) to include the auto-generated indices created by datastreams (.ds-*) ?
Thank you
Are these your own custom data stream logs? The default rules are looking at different indexes, so they're not all going to be the same. If so, yeah, you will have to edit and change them. You can do this via the UI or you if you're handy with scripting we have a REST API you can use to automate some of these types of tasks:
We are looking at ways of improving things such as changing indexes globally or overriding them for rules but we don't have a global mechanism at the this point.
Hi Franck, yes they are custom data streams. So for the moment, I guess I can name my datastreams with the same syntax that what detection rules are looking for (ex: filebeat-*) and detections will magically work.
Thx !
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.