Endpoint Security Not Working

Hey everyone,

I am using an agent that have a personalised policy with:

  • Endpoint Security
  • Windows
  • System

And my issue is when I test a malicious behavior (with MITRE ATT&CK Techniques) I can't see the alerts and in my list of rules my endpoint security last response is a warning:

And the warning is:

This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent.

I also delete the integration (endpoint security) and add it, but it didn't work.

So guys I'm here to express my issue and I really need your help.

Thank you
Reda BELHAJ

Hi Reda. Sorry to hear about this issue.

Can you please tell us how do you enrol agent on your host? Is it done through Fleet Integration as it advised in official documentation?

According to docs:

To configure the Elastic Agent, Endpoint Security requires enrollment through Fleet to enable the integration.
Endpoint Security cannot be integrated with an Elastic Agent in standalone mode.

Also, rule execution will fail before the first alert get generated by this rule according to the warning you see

This warning will continue to appear until a matching index is created or this rule is de-activated. If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent.

Here is also more details into that Endpoint Security Rules are Failing on On-Prem usage (seen on 7.11.0 BC6 and 8.0/master) · Issue #90401 · elastic/kibana · GitHub
Can you please confirm whether any alert was generated by this rule? If not, this warning should disappear after the first one.

And here is extensive list of test actions how to verify if agent is installed correctly and works as expected ElasticSIEM unable to find [logs-endpoint.alerts - #9 by Kevin_Logan.
Particularly, step with generating a new alert should fix issue you have if agent configured correctly.

Let me know if this helps. Thanks, Vitalii

I may add that since that last troubleshooting guide we improved a bit. Checking Elastic Endpoint logs is still a very good way to discover problems, but to quickly check Endpoint connectivity we introduced a handy function:
From elevated command prompt (running as administrator) run C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe test output

Hey @lesio thank you so much for your help I have solved the issue with testing EICAR Malware Test and I remark that my endpoints start sending alerts

Thank you again