Elastic SIEM Detection Rules

Hi Team,

I have 2 windows endpoints with 2 different agent policies where in one endpoint I have integrated the system integration and in another endpoint I have integrated Windows, So in this case of SIEM detection rule do I actually need both of the integration in my both agent policies to make the detection rule to work?

Some of the rules shows 6 available integrations so do I need all the 6 to trigger the alert if it occurs?

Thanks in advance

Hello and welcome,

As the message says:

(...) enable one or more of the below integrations (...)

So you need at least one of the integrations, this happens because the events required to trigger the rule can be provided in different ways by different integrations, if you check how the rule works you will see that there are a couple of conditionals to make it trigger with events from both integrations.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.