Elastic SIEM. Security rules doesn't work

Hi all!
I have an issue with the Elastic Security Rules.

I've installed the elastic agents on my target instances:

I can successfully see its data streams:

I've created default enrolment policy for my agents:

Here is my yml file generated by Elastic:

As you see, I've configured the Default policy with system-1, Endpoint Security integration, linux-1, Prebuilt Security Rules. But I can's see Prebuilt Security Rules integration in the yml.

Also, I can't understand why default prebuilt security rules don't work (no succeeded rules):

I will be pleased to receive any help!
Thank you!

Hey @Dmitriy_Esin thanks for the question!
If you click on the Rule Monitoring tab within Rules, does it show any error messages relating to the prebuilt rules?

Could you also provide some Kibana logs? The Detection Rules should log some warnings and errors if they're running into problems.

Hi @Jonathan_Buttner thanks for you reply!

Here is the example screenshot of the the prebuilt rule:

I have specific warnings in each prebuilt rule.

Unfortunately I can't find any logs from Kibana in web UI (elastic stack is in kubernetes), but I've found container logs (may be it's wrong logs)

Thank you for your help!

Any update on this? Thank you!

Here is nothing to configure

Hey @Dmitriy_Esin looks like the issues is that the rule isn't seeing data within the index patterns auditbeat-* or logs-endpoint.events.*. Could you check the Stack Management -> Index Management page, enable hidden indices, and then search for auditbeat or events and see if anything comes up that would match those patterns?

Here's an example

If the Docs count is zero or nothing is found it likely means that Elasticsearch hasn't received any events from auditbeat or the elastic endpoint.

Hi @Jonathan_Buttner !
Yes, unfortunately, I've tried it, but there are no indices that we need

I know that agents create indices themselves when we use any integration, but there is no Prebuilt Security Rules integration in my elastic-agent.yml and I can't configure it :frowning:

thank you for your answer! I'll try to install auditbeat.

Thank you so much!!!
You saved me!
It works well now!

@Jonathan_Buttner one more question from me:

All rules are well, and I'm very grateful to you for your assistance, but one rule has a status "warning"

Can I kindly ask you to help to understand how to resolve it?

I'm glad you got it working! The warnings about the event.ingested are indicating that auditbeat and elastic agent aren't populating the event.ingested field. While it's ideal to have this field populated it's not required. The detection rules will fallback to using the @timestamp field instead. You could add a new pipeline that sets this field like this: Add event.ingested to all Filebeat modules by andrewkroh · Pull Request #20386 · elastic/beats · GitHub

and configure it to be used in auditbeat: Define processors | Auditbeat Reference [7.15] | Elastic

I believe filebeat populates this field by default but the other beats don't.

For more details on what event.ingested is used for: Create a detection rule | Elastic Security Solution [7.15] | Elastic

Specifically item j:

Timestamp override (optional): Select a source event timestamp field. When selected, the rule’s query uses the selected field, instead of the default @timestamp field, to search for alerts. This can help reduce missing alerts due to network or server outages. Specifically, if your ingest pipeline adds a timestamp when events are sent to Elasticsearch, this avoids missing alerts due to ingestion delays.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.