Detections - Kibana

Elastic Security SIEM
1

Hi, I am trying to use detection rules in Kibana. I am testing it on predefined rules under Security module. To be exact " User Account Creation" . I am using winlog to send out data to kibana. I see user creation event under discovery and on dashboards but detection rules are not working.

Do detection rules work with beats or only fleet? How to configure a simple detection rule that will detect new user creation?

From here it looks like it should work with Winlog

https://www.elastic.co/guide/en/siem/guide/current/user-account-creation.html

Usefully info, but rule is not working. How can I troubleshoot it?

2

Detection rules work with Beats.

What do you mean that the rule is not working? Do you have it enabled, but there is an error message when you click into the activated rule? Or do you have it enabled, and it is constantly running per its interval, but no alerts are being generated?

3

I have it enabled, and it looks like its running but no alerts are being generated

image
image1875×185 21 KB

image

image
image1863×482 19.8 KB

4

Can you show what the rule query looks like?
Also can you look at the failures for the query?

Also you need to look at the current elastic documentation, what you posted is old.

5

Sure, I am using pre defined query

image
image1868×638 64.6 KB

Found some errors here (not sure if related)

image
image1866×461 77 KB

PS. I am trying to learn how to create my own EQL queries for detection but I can not find where real examples. For instance, what would user creation EQL query look like ?

image
image936×350 20.2 KB

OK so I created my first custom rule like below (it looks like it is going to work)

image
image1516×618 49.1 KB

But does it mean that all pre defined rules dont work with beats? IS there repo with already existing rules I can use or I need to define them all by myself ? I found this great site
''' https://uncoder.io/""
and it allows to transfer many rules to elastic, but I do not know how to imput them into EQL querry. In example

(winlog.channel:"Security" AND (winlog.event_id:"4732" AND (winlog.event_data.GroupName:"Administrators" OR group.name:"Administrators")) AND (NOT (winlog.event_data.SubjectUserName:*$)))

How to apply this as valid EQL query ? Is there any repo when I can import rules from ?

6

All of the pre-built Elastic rules are found in a GitHub repository. You could search for rules in there which are written in EQL for examples.

The errors that you show appear to show that the rule was not running in the past. You should be watching out for Last response, where you find out if your rule is currently successfully running after the interval period set (e.g. 5 minutes).

Another way that I would suggest for you to look into 'debugging' rules that are not being detected - go to Dev Tools / Discover (depending on which works for you) and put in your query bit-by-bit. For example, if the Custom query in the rule has several chunks, break it down then manually query them to see which chunk is the 'faulting' chunk that prevents your overall rule from not 'working'.

7

If you want to practice your EQL then just go here:

Timelines - Kibana (eqlplayground.io)

2 Likes
8

I also started this wiki to help with the building of rules.

ELK - Detection Rule Building

1 Like
9

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.