we are currently evaluating the Elastic Agent to be used as endpoint security solution within our company. We are especially interested in the features provided by Endgame.
To get a feeling for the system I have setup a test environment using my computer running a Elasticsearch (version 7.15.1) and a Kibana instance. Further I'm using VirtualBox running a Ubuntu 20.04.2 VM to simulate a client for the Elastic Agent. This setup seems to work so far, since I'm receiving alerts for a few test cases.
To test Endgame I have downloaded several GB of malicious PE and ELF files and enabled all Endgame rules. However I have not received an alert from any of these rules and all rules show the following warning message:
This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["endgame-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated.
The only alert related to these files came from the Endpoint Security rule while pulling a git repository with malicious ELF files.
I have used this guide for the setup.
Am I misunderstanding something about the functionality of Endgame? I have not found any additional resources that seem to be up to date.