Endpoint Security Not Working

Reda-BELHAJ · May 15, 2022, 3:06pm

Hey everyone,

I am using an agent that have a personalised policy with:

Endpoint Security
Windows
System

And my issue is when I test a malicious behavior (with MITRE ATT&CK Techniques) I can't see the alerts and in my list of rules my endpoint security last response is a warning:

And the warning is:

This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["logs-endpoint.alerts-*"] was found. This warning will continue to appear until a matching index is created or this rule is de-activated. If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent.

I also delete the integration (endpoint security) and add it, but it didn't work.

So guys I'm here to express my issue and I really need your help.

Thank you
Reda BELHAJ

vitaliidm · May 16, 2022, 10:48am

Hi Reda. Sorry to hear about this issue.

Can you please tell us how do you enrol agent on your host? Is it done through Fleet Integration as it advised in official documentation?

According to docs:

To configure the Elastic Agent, Endpoint Security requires enrollment through Fleet to enable the integration.
Endpoint Security cannot be integrated with an Elastic Agent in standalone mode.

Also, rule execution will fail before the first alert get generated by this rule according to the warning you see

This warning will continue to appear until a matching index is created or this rule is de-activated. If you have recently enrolled agents enabled with Endpoint Security through Fleet, this warning should stop once an alert is sent from an agent.

Here is also more details into that Endpoint Security Rules are Failing on On-Prem usage (seen on 7.11.0 BC6 and 8.0/master) · Issue #90401 · elastic/kibana · GitHub
Can you please confirm whether any alert was generated by this rule? If not, this warning should disappear after the first one.

And here is extensive list of test actions how to verify if agent is installed correctly and works as expected ElasticSIEM unable to find [logs-endpoint.alerts - #9 by Kevin_Logan.
Particularly, step with generating a new alert should fix issue you have if agent configured correctly.

Let me know if this helps. Thanks, Vitalii

lesio · May 23, 2022, 11:28am

I may add that since that last troubleshooting guide we improved a bit. Checking Elastic Endpoint logs is still a very good way to discover problems, but to quickly check Endpoint connectivity we introduced a handy function:
From elevated command prompt (running as administrator) run C:\Program Files\Elastic\Endpoint\elastic-endpoint.exe test output

Reda-BELHAJ · June 1, 2022, 4:31pm

Hey @lesio thank you so much for your help I have solved the issue with testing EICAR Malware Test and I remark that my endpoints start sending alerts

Thank you again

system · June 29, 2022, 4:32pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Endpoint Security help Endpoint Security elastic-stack-security	7	627	June 23, 2022
Elastic-endpoint installed although defend integration is not applied to policy Endpoint Security	5	390	March 7, 2024
Integration Endpoint Security	8	938	March 31, 2023
EndPoint Security Endpoint Security	4	402	September 19, 2022
27 default Elastic Security rules contain definitions to non-existant indices and are broken Elastic Security	5	328	May 24, 2022

Endpoint Security Not Working

Related Topics