Detection not finding anything but same query finds them

Elastic Security SIEM
1

I made a detection from a saved query that shows what I want to detect but the detection is not detecting anything. Detection does not show any failures. Any suggestions?

2

Welcome @plaroche0 !

If you don't mind, I have a few questions that could help us better triage what's happening.

  • What version of Kibana are you using?
  • Do the events you expect show up when using timeline within the same time period and query as the rule?
  • What does your mapping for @timestamp look like? Data in the rule indices must be ECS compatible, so they must contain a @timestamp field.
  • If you go to the rule details and select 'Failure History' tab, does anything show up there?
  • If you create the same rule, but don't use a saved query for it, do you then start seeing signals? This could narrow down if it's specific to saved query.
  • Are you using any timestamp overrides?

I know it's quite a few questions, but it'll greatly help to understand what is happening.

Best,
Yara

1 Like
3

  • What version of Kibana are you using?
    7.10.0

  • Do the events you expect show up when using timeline within the same time period and query as the rule?
    Yes

  • What does your mapping for @timestamp look like? Data in the rule indices must be [ECS
    compatible), so they must contain a @timestamp field.
    Shows as type: date and it shows it is searchable and aggregatable

  • If you go to the rule details and select 'Failure History' tab, does anything show up there?
    Nothing shows for "Failure History"

  • If you create the same rule, but don't use a saved query for it, do you then start seeing signals? This could narrow down if it's specific to saved query.
    I created the same rule without using the saved query and nothing shows but when I use the preview option while creating the rule it shows what I am looking for.

  • Are you using any [timestamp overrides]
    No

4

Solved it!

I had to increase the loopback time. :man_facepalming:

5

Ah! Glad you were able to solve it!

6

Hi @plaroche0, I'm also glad you solved it!

If you don't mind sharing, what value of "additional look-back time" did you specify in your rule when it didn't detect what you expected?

We set a default of one minute to allow for possible ingestion pipeline delays in typical environments. I'm wondering if you used this default value, and what you had to change it to in order to make it work in your environment?

Thanks again for using the SIEM/Security solution, and for posting in our forum!

7

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.