Actively log for the agent? I don't happen to see security admin or configuration status.
Exception list is empty on all clusters as the option to add "save" exception is grayed out on each one for some reason. If I attempt to add an endpoint exemption nothing will populate. If I manually type I'm unable to save. I can add a rule exemption as a test to see if it will download and have success vs failure.
Results from URL. Considering the API is used it's a little harder to check. Using the elastic user ends with:
{"statusCode":401,"error":"Unauthorized","message":"Unauthorized"}
Going back 1 level to see if I would get a file list:
{"statusCode":404,"error":"Not Found","message":"Not Found"}
Well that would a good reason to fail...
Is Endpoint setup like Carbon Black or Cylance where it's only active on runtime? That would explain some of it. I did use the good old metaspolit as well on a unpatched box. Guess we should start with the little things first as you said.
I'll let you know as soon as I get the rule added and tested on a few machines. See if I end up with the same or different results.