@MKirby Thanks for sharing your yml file.
It does look like the Endpoint is properly configured based on your file.
In addition, based on your past screenshot of the Integrations UI, it looks like the Endpoint Security integration is properly installed.
Below, find some additional troubleshooting steps.
Use another test file for generating an alert
Note that Malware support for detecting EICAR is currently in the works and will be released soon.
Can you try generating an alert with a different test? You could try opening mimikatz on your host machine. You can find distributions here: Releases · gentilkiwi/mimikatz · GitHub
Warning: Use any test files such as this at your own risk.
You should see a Windows notification come up on your host machine indicating that Elastic Endpoint Security prevented Malware.
Register Elastic Endpoint Security as your AV
Inside of your yml file, I noticed that Windows isn't registered as your AV. You can quickly make Elastic Security your AV by changing this field to true:
antivirus_registration:
enabled: false
You can do this in the UI by going to "Fleet > Agent policies"
And editing you Endpoint integration:
Turn on AV here and save:
Additional troubleshooting
If the above doesn't work, maybe there's an issue with Endpoint streaming data.
If so, can you navigate to "Stack Management > Index Management" and go to the "Data Streams" tab? You can search by "logs-endpoint". Let me know if you see any results.
You should see something similar to this:
If there are no data streams, it may imply the Endpoint is not successfully streaming documents to ES.
Check that the Endpoint is running and streaming data
If you run into this, check that the Endpoint is installed and running. You can quickly do this on windows by checking the install folder C:\Program Files\Elastic. There should be an Endpoint folder there
If the Endpoint folder is there, check the logs to see if it's successfully streaming to ES. The Endpoint has self protection, so to get the logs out to check, open a cmd terminal as Administrator and copy the logs to the Desktop or other destination of your choosing. Run a command similar to this:
copy "C:\Program Files\Elastic\Endpoint\state\log" C:\<destination-outside-Endpoint-folder>
Open up the logs file that you copied and check for logs that look like this:
{"@timestamp":"2021-07-09T14:50:02.3304214Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 1 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
{"@timestamp":"2021-07-09T14:50:02.5051836Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 98 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
{"@timestamp":"2021-07-09T14:50:33.7376373Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 500 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
{"@timestamp":"2021-07-09T14:50:33.8764519Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 129 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
{"@timestamp":"2021-07-09T14:51:03.8416559Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 497 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
{"@timestamp":"2021-07-09T14:51:04.0054535Z","agent":{"id":"16b1517b-d114-42f7-91e8-81b4ce6ae36d","type":"endpoint"},"ecs":{"version":"1.6.0"},"log":{"level":"info","origin":{"file":{"line":224,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:224 Sent 119 documents to Elasticsearch","process":{"pid":3236,"thread":{"id":6552}}}
If you don't see any successful logs streaming to ES, check to see if you see logs similar to this, implying that the Endpoint cannot stream to ES:
{"@timestamp":"2020-08-24T13:46:15.68399000Z","agent":{"id":"8203e9d6-b0dc-49d8-a579-b105a67bacad","type":"endpoint"},"ecs":{"version":"1.5.0"},"log":{"level":"notice","origin":{"file":{"line":65,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:65 Elasticsearch connection is down","process":{"pid":5672,"thread":{"id":4008}}}
Let me know if the above helps!