Elastic SIEM alerts + auditbeats - only few are working fine

first post in the forum, since using free Elastic licence, would like to seek for some support in the discussion board. Currently I'm experimenting on SIEM > Detections module, have Elastic stack installed on one computer, Auditbeat on another, and for example when running nmap, base64 encoding decoding alert is generated in SIEM > Detections, but for example another ones, like nping, mknod etc. never generated an alert, but it's visible in elastic when looking at auditbeat logs. For experiment sake I have enabled all the 149 rules which was preconfigured, but only few of them are working. Any suggestions what am I doing wrong?

Please share your all your debug logs of Auditbeat and the configuration formatted using </>?

The base64 detection query is:

Can you share the raw event for the base64 process that Auditbeat sent to Elasticsearch? Then we can see if there's something that would cause the query to not match. The only other issue I can think of would be timing (like the event wasn't in Elasticsearch when the rule executed its query).

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.