Detection Rules don't alert

omlette · August 8, 2021, 3:15pm

I'm setting up detection rules, so I wanted to start small and verify that the workflows was functioning, so I've enabled the Whoami Process Activity. I've run the whoami command several times over the last several hours, but haven't seen a single alert. To further debug, I have put the EQL query in the Dev Console, and I see the events that should be alerting. To test the alert, I have duplicated the Rule, and before saving the Rule, ran the command and used the test functionality to view the results of the detection Rule. But after letting that run for several iterations, it also doesn't alert.

omlette · August 10, 2021, 8:59pm

For more information:

Elastic Stack version 7.14.0 Basic License
Winlogbeat version 7.9.2

I've looked in the .kibana-event-log-7.14.0-* for the last 7 minutes and I see the execute-start and execute events, but still no alerts when I run whoami.

omlette · August 10, 2021, 9:24pm

When I look at the Alerts page, it says last alert 1 min ago (see screenshot), but doesn't display it. Maybe it is a Kibana display issue, instead of an alerting issue? Any tips on further debugging?

omlette · August 10, 2021, 9:49pm

I think I found how I couldn't see the alert, but I'm not sure about the why...

At the bottom of this screenshot there is Untitled timeline. When I changed that to Generic Threat Match Timeline I can see my alerts for my Duplicated whoami alert, but the built in one still does not alert on the whoami command.

omlette · August 13, 2021, 8:41pm

I guess I found the issue. The Timestamp Override was set to event.ingested, but I hadn't added that to my event. After adding an ingest pipeline:

PUT _ingest/pipeline/pipeline_add_ingest_timestamp
{ 
  "description": "Adds event.ingested field which represents time of ingestion.",
  "processors": [
    {
      "set": {
        "field": "event.ingested",
        "value": "{{_ingest.timestamp}}"
      }
    }
  ]
}

And adding the pipeline to my beats config elasticsearch output:

output.elasticsearch:
  # Array of hosts to connect to.
  hosts: ["elasticsearch.local:9200"]

  # Ingest Pipeline
  pipeline: pipeline_add_ingest_timestamp

The builtin detections are alerting on the whoami command.

system · September 10, 2021, 8:42pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.