Elasticsearch SIEM is not working, but EQL query is ok

Dalador · October 25, 2021, 2:38pm

I got some problems with my ELK running on docker. I made ssl on tls and http and tryied to make simple EQL-query:

sequence by winlog.computer_name 
[iam where event.code == "4720"] 
[iam where event.code == "4726"]

When i click on show results i see hits:

but when i'm trying to reproduce alert it's zero hits in index:
.siem-signals-default-*

I got some warns from my Elasticsearch-container:

{"type": "server", "timestamp": "2021-10-25T12:37:33,433Z", "level": "WARN", "component": "o.e.x.s.t.n.SecurityNetty4HttpServerTransport", "cluster.name": "elastdocker-cluster", "node.name": "elastdocker-node-0", "message": "received plaintext http traffic on an https channel, closing connection Netty4HttpChannel{localAddress=/172.20.0.5:9200, remoteAddress=/172.20.0.2:43450}", "cluster.uuid": "oZsivcyzROWSooXVIPzbKQ", "node.id": "KIjWJ0OjSW-lYt51cO8ViQ" }

Where is the problem? Any ideas?

Dalador · October 29, 2021, 1:54pm

This helps:

PUT /_cluster/settings
{
  "persistent" : {
    "xpack" : {
      "monitoring" : {
        "migration" : {
          "decommission_alerts" : "true"
        }
      }
    }
  },
  "transient" : { }
}

system · November 26, 2021, 1:54pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.