Hi,
We experience some issues with detection rules detecting their dependencies on installed integrations correctly:
a) Installed Integrations are displayed as "Disabled" complaining there would be no agent policies using it. We have to edit any already configured policy, change anything in the allegedly disabled integration configuration to be able to save the changed settings -> then the rules correctly recognize the integration as "Installed" again.
b) the "Windows" Integration always shows this "version mismatch" (Screenshot):
It seems that these are only "cosmetical" issues because the rules work just fine with the collected data and produce alerts based on the indices of the wrongly "Disabled" or otherwise faulty recognized integrations. Nevertheless it's annoying to have no reliable indicator if all prerequisites of a rule are satisfied or not...
Thanks for your suggestion @leandrojmp but the topic was closed as completed in 2022 and I don't want to participate/reopen this using my personal git hub-account.
I'll stick with my workaround:
If anyone else encounters similar phenomenona - installed and enabled integrations appear as "Disabled" or with version mismatches that should be solved long ago:
in any agent-policy containing the integration ->
edit it,
change something,
save the changed settings (and change it all back) ->
your detection rules should update their view of dependent integrations now
(at least this works on 8.15.x Kibana-Versions, prebuilt-rules integration version 8.15.8, debian based installation, on premises, not containerized).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
