ElasticSIEM unable to find [logs-endpoint.alerts

MKirby · July 2, 2021, 7:11pm

I have been able to start using the elastic SIEM recently, and am having the following message show up in my Kibana, both in the UI as well as in the command line when I start the service.

</> log [15:02:19.220] [error][plugins][securitySolution] This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent. name: "Endpoint Security" id: "5472eed8-d90e-11eb-9f7e-3fd2819ec70d" rule id: "9a1a2dae-0b5f-4c3d-8305-a268d404c306" signals index: ".siem-signals-default"
log [15:02:20.296] [info][plugins][securitySolution] [+] Finished indexing 0 signals searched between date ranges [
{
"to": "2021-07-02T19:02:20.270Z",
"from": "2021-07-02T18:52:20.270Z",
"maxSignals": 10000
}
] name: "Endpoint Security" id: "5472eed8-d90e-11eb-9f7e-3fd2819ec70d" rule id: "9a1a2dae-0b5f-4c3d-8305-a268d404c306" signals index: ".siem-signals-default" Preformatted text

Of note. I am running this on a Windows 10 professional box, with ELK version 7.12-3. This is a trial system and can pull it down and reformat anytime.

I am using standard settings with the TLS "DISABLED" at this time. only major configuration changes include the use of xpack-security and 1 added user. My SIEM configuration has passed all Elastic tests for initial configuration.

Any help is much appreciated.

georgii · July 2, 2021, 10:25pm

Heya, SIEM team is here

It looks like you've installed prebuilt detection rules. One of them is "Endpoint Security" rule:

In order to run without warnings, it requires logs from Elastic Endpoint Security to be present in Elasticsearch. You can install it to your hosts ("endpoints") via Elastic Agent. The easiest way to configure and manage agents is via Fleet (in Kibana, see Management -> Fleet):

You can find more info about this case in this GitHub comment.

So, you could enable Endpoint Security integration and start collecting data from it. As soon as data is there (in logs-endpoint.alerts-* indices), the rule should stop populating warnings. Alternatively, you could disable the rule if you're not planning to use Endpoint Security.

Let me know if this helps.

MKirby · July 5, 2021, 1:51pm

Thank you for the input Georgii.

I revisited my configuration and do have EndPoint security installed. So I created a new integration and attempted to install the agent using the enrollment steps found in the Add Integrations. I have added the Elastic Agent, and I can see that there are logs to be found under observability. I did not use the fleet when installing the Agent, I installed it manually.

On my test machine I have Kaspersky Free installed as the A-V, the Elastic EndPoint Security is running on my test machine. and when I disable Kaspersky I am unable to enable the Elastic EndPoint in order to test with EICAR and generate an alert.

Any other suggestions?

georgii · July 7, 2021, 11:35am

Hey, sorry for not being here for a couple days.

Alright, just want to double-check what setup do you have. So you have an Elastic Agent that you've manually enrolled in the standalone mode (not in the Fleet mode). You've configured some integrations (like the system one which should be enabled by default), including the Endpoint Security integration - in the standalone mode in your elastic-agent.yml file on the host. You have this Agent running, and you can see some logs from it in the Observability app. Is this correct?

The problem with that is Elastic documentation says that Endpoint Security requires Agent to be enrolled and managed via Fleet:

To configure the Elastic Agent, Endpoint Security requires enrollment through Fleet to enable the integration.

So I'm guessing - either our docs are not up-to-date, or maybe the Endpoint integration is actually not configured in your Agent configuration. I requested additional comments on that from folks who work on the Endpoint integration.

Meanwhile, what I'd suggest is to follow the official guide and configure Endpoint via Fleet. Also, could you please share your elastic-agent.yml?

When you've done that, I anticipate you might encounter some issues with Kaspersky antivirus installed on the host. In general, you shouldn't have 2+ antivirus software installed on the same machine, because they may conflict with each other. There would be two options in this case:

disable/uninstall Kaspersky, Microsoft Defender and other AVs on the host
add them to each other's exceptions (see Issues with Elastic Agent and Defender? - #2 by gabriel.landau for more details)

MKirby · July 7, 2021, 12:51pm

Georgii;

I was able link the Agent using PowerShell, with Fleet.
Fleet has EndPoint Security and System enrolled.. I have tried to insert my Elastic-Agent.yml file unfortunately it makes it too large for tor the body of this reply.

I am not married to the Kaspersky so it can come out. Is there an easy way to share my yml file? It is pretty basic at the moment.

MKirby · July 7, 2021, 1:09pm

Georgii;

see above for fleet integrations. I am working on adding the yml file for you to review.

georgii · July 7, 2021, 1:36pm

@MKirby Awesome! I'd suggest to try using https://gist.github.com/ to share the file. Make sure to obfuscate sensitive data like logins, passwords and hostnames.

MKirby · July 7, 2021, 1:55pm

Georgii;

Here is the link to the elastic-agent.yml.

elastic-agent.yml

Thank you for the assistance.

Kevin_Logan · July 9, 2021, 3:22pm

@MKirby Thanks for sharing your yml file.

It does look like the Endpoint is properly configured based on your file.

In addition, based on your past screenshot of the Integrations UI, it looks like the Endpoint Security integration is properly installed.

Below, find some additional troubleshooting steps.

Use another test file for generating an alert
Note that Malware support for detecting EICAR is currently in the works and will be released soon.

Can you try generating an alert with a different test? You could try opening mimikatz on your host machine. You can find distributions here: Releases · gentilkiwi/mimikatz · GitHub
Warning: Use any test files such as this at your own risk.

You should see a Windows notification come up on your host machine indicating that Elastic Endpoint Security prevented Malware.

Register Elastic Endpoint Security as your AV
Inside of your yml file, I noticed that Windows isn't registered as your AV. You can quickly make Elastic Security your AV by changing this field to true:

        antivirus_registration:
          enabled: false

You can do this in the UI by going to "Fleet > Agent policies"

And editing you Endpoint integration:

Turn on AV here and save:

Additional troubleshooting
If the above doesn't work, maybe there's an issue with Endpoint streaming data.

If so, can you navigate to "Stack Management > Index Management" and go to the "Data Streams" tab? You can search by "logs-endpoint". Let me know if you see any results.

You should see something similar to this:

If there are no data streams, it may imply the Endpoint is not successfully streaming documents to ES.

Check that the Endpoint is running and streaming data

If you run into this, check that the Endpoint is installed and running. You can quickly do this on windows by checking the install folder C:\Program Files\Elastic. There should be an Endpoint folder there

If the Endpoint folder is there, check the logs to see if it's successfully streaming to ES. The Endpoint has self protection, so to get the logs out to check, open a cmd terminal as Administrator and copy the logs to the Desktop or other destination of your choosing. Run a command similar to this:

copy "C:\Program Files\Elastic\Endpoint\state\log" C:\<destination-outside-Endpoint-folder>

Open up the logs file that you copied and check for logs that look like this:

{"@timestamp":"2021-07-09T14:50:02.3304214Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 1 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
{"@timestamp":"2021-07-09T14:50:02.5051836Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 98 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
{"@timestamp":"2021-07-09T14:50:33.7376373Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 500 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
{"@timestamp":"2021-07-09T14:50:33.8764519Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 129 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
{"@timestamp":"2021-07-09T14:51:03.8416559Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 497 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
{"@timestamp":"2021-07-09T14:51:04.0054535Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 119 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}

If you don't see any successful logs streaming to ES, check to see if you see logs similar to this, implying that the Endpoint cannot stream to ES:

{"@timestamp":"2020-08-24T13:46:15.68399000Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"notice","origin":{"file":{"line":65,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:65 Elasticsearch connection is down","process":{"pid":5672,"thread":{"id":4008}}}

Let me know if the above helps!

MKirby · July 13, 2021, 2:07pm

Thank you for that great information. I have made sure that the Elastic SIEM is now the Ant-Virus, was unable to get the mimikatz to work for me. Everything else seems to be configured correctly, and yet until I can get a virus detected I won't be able to get the log-endpoint to function.

Thank you again.

Kevin_Logan · July 20, 2021, 9:54pm

@MKirby sorry for the late reply. Could you confirm that Endpoint is running on your Host by checking for the existence of C:\Program Files\Elastic\Endpoint as mentioned above?

If it is, then verify that the Endpoint is streaming to ES correctly by checking the logs on your Host machine (not in Kibana). You can follow the steps above. The logs on your host are in C:\Program Files\Elastic\Endpoint\state\log. You'll need to copy them out the Endpoint folder since it is self protected.

If no Alerts are generating and appearing in Kibana, I think the Endpoint is either not installed properly or it's failing to stream to ES.

Let me know if this helps!

MKirby · July 21, 2021, 1:20pm

Thank you for the reply. I do appreciate it. I do not have the endpoint folder as mentioned. I deployed this via Fleet, and it is on the same system as my installation. Does that make a difference?

system · August 18, 2021, 1:21pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.