Hi Team,
I have 2 windows endpoints with 2 different agent policies where in one endpoint I have integrated the system integration and in another endpoint I have integrated Windows, So in this case of SIEM detection rule do I actually need both of the integration in my both agent policies to make the detection rule to work?
Some of the rules shows 6 available integrations so do I need all the 6 to trigger the alert if it occurs?
Thanks in advance
Hello and welcome,
As the message says:
(...) enable one or more of the below integrations (...)
So you need at least one of the integrations, this happens because the events required to trigger the rule can be provided in different ways by different integrations, if you check how the rule works you will see that there are a couple of conditionals to make it trigger with events from both integrations.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
