Endpoint Security help

ELK 8.12 on Prem x1 server
So far I have all my Active Directory domain controllers sending their logs into ELK server. This produces some great logs for me to view. I have added the Endpoint Security integration into my agent policy.
I can see my hosts under /Security/Endpoints but I am not getting any activity.

This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent.

I have turned on 7zip rule and met the requirements.

I have the following in my Elasticsearch and kibana config files

xpack.encryptedSavedObjects.encryptionKey: abcdef................
# Enable security features
xpack.security.enabled: true

xpack.security.enrollment.enabled: true

# Enable encryption for HTTP API client connections, such as Kibana, Logstash, and Agents
  enabled: true
  keystore.path: certs/http.p12

# Enable encryption and mutual authentication between cluster nodes
  enabled: true
  verification_mode: certificate
  keystore.path: certs/transport.p12
  truststore.path: certs/transport.p12

Hello, Have you already tried troubleshooting steps mentioned in this thread Endpoint Security Not Working

really helpful link, thanks. Please see below.

{"@timestamp":"2022-05-24T13:34:05.0603774Z","agent":{"id":"29304541-f6b9-404d-a40a-2ad916031b85","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":199,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:199 Sent 191 documents to Elasticsearch","process":{"pid":4472,"thread":{"id":6772}}}
{"@timestamp":"2022-05-24T13:34:34.9132533Z","agent":{"id":"29304541-f6b9-404d-a40a-2ad916031b85","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":199,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:199 Sent 500 documents to Elasticsearch","process":{"pid":4472,"thread":{"id":6772}}}
{"@timestamp":"2022-05-24T13:34:35.0687729Z","agent":{"id":"29304541-f6b9-404d-a40a-2ad916031b85","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":199,"name":"BulkQueueConsumer.cpp"}}},"message":"BulkQueueConsumer.cpp:199 Sent 221 documents to Elasticsearch","process":{"pid":4472,"thread":{"id":6772}}}
{"@timestamp":"2022-05-24T13:35:01.910479Z","agent":{"id":"29304541-f6b9-404d-a40a-2ad916031b85","type":"endpoint"},"ecs":{"version":"1.11.0"},"log":{"level":"info","origin":{"file":{"line":70,"name":"Logging.cpp"}}},"message":"Logging.cpp:70 Logging directory cleaned up, current size: 2657338","process":{"pid":4472,"thread":{"id":4740}}}

Great to see that. Is the 7zip rule working as expected now? If not we can test if Elastic Endpoint generates alerts by downloading EICAR sample from https://www.eicar.org/. This will also make the warning message in Kibana disappear as the corresponding index is going to be created in ES by the EICAR alert. If all that works, we would have to focus on the 7zip rule.

@lesio cheers
The eicar trick worked on getting my first alert. I saw it flag up in the systray and then appear in the 'alerts' console on elastic. I then tried 7zip but still getting nothing from that. It doesn't prevent it running and does not log anything to alerts. I have also tried the clear screen rule too.

Hi, I see there's some confusion about the rules. The 7zip rule run on Elasticsearch, i.e. offline. If you click on the rule you'll see the details, the EQL query which makes the alert and the scheduling. I can see that it is scheduled to run every 5 minutes looking for process execution events with specific params.

To test it, run 7z.exe a -sdel, that's enough to trigger the rule. In Kibana go to events and confirm that you can see 7zip execution event, you can filter events by process.name: "7z.exe". On rules page switch to Rules monitoring and confirm that the 7zip rule was recently scheduled to run

When the Last run time is shorter than the time passed since you executed 7zip, you should see the alert in Kibana

1 Like

@lesio Apologies, Gmail was putting elastic emails into spam so missed your reply at first.
I done as you said, well I checked in Discover for process.name and could see 7zip had run. I then checked rules and could see it flags up in there when running the command '7z.exe a -sdel'. Previously I was just adding to archive and setting a password to encrypt the file. Maybe I was missing a step but your command has triggered the alert in the elk console.

Thanks for you help. It has worked a treat.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.