Hi, I am trying to use detection rules in Kibana. I am testing it on predefined rules under Security module. To be exact " User Account Creation" . I am using winlog to send out data to kibana. I see user creation event under discovery and on dashboards but detection rules are not working.
Do detection rules work with beats or only fleet? How to configure a simple detection rule that will detect new user creation?
From here it looks like it should work with Winlog
What do you mean that the rule is not working? Do you have it enabled, but there is an error message when you click into the activated rule? Or do you have it enabled, and it is constantly running per its interval, but no alerts are being generated?
PS. I am trying to learn how to create my own EQL queries for detection but I can not find where real examples. For instance, what would user creation EQL query look like ?
But does it mean that all pre defined rules dont work with beats? IS there repo with already existing rules I can use or I need to define them all by myself ? I found this great site
''' https://uncoder.io/""
and it allows to transfer many rules to elastic, but I do not know how to imput them into EQL querry. In example
(winlog.channel:"Security" AND (winlog.event_id:"4732" AND (winlog.event_data.GroupName:"Administrators" OR group.name:"Administrators")) AND (NOT (winlog.event_data.SubjectUserName:*$)))
How to apply this as valid EQL query ? Is there any repo when I can import rules from ?
All of the pre-built Elastic rules are found in a GitHub repository. You could search for rules in there which are written in EQL for examples.
The errors that you show appear to show that the rule was not running in the past. You should be watching out for Last response, where you find out if your rule is currently successfully running after the interval period set (e.g. 5 minutes).
Another way that I would suggest for you to look into 'debugging' rules that are not being detected - go to Dev Tools / Discover (depending on which works for you) and put in your query bit-by-bit. For example, if the Custom query in the rule has several chunks, break it down then manually query them to see which chunk is the 'faulting' chunk that prevents your overall rule from not 'working'.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.