EQL rules do not work but see hits


I'm trying to get started with Elastic SIEM and I noticed a problem.
To retrieve the logs, I use Auditbeat (for technical reasons, I can't use Elastic Agent).

I have the impression that none of the rules written in EQL format work, where those written in KQL work.

For example, I'm trying to trigger the Hosts File Modified rule. To do this, I modify my /etc/hosts file on my Linux machine.
I can see the data coming up in Discover. However, the rule is not triggered: I don't see it in Security - Alerts.

However, when I duplicate the rule and I click on Preview to see if there are hits, I find some!

Do you have any idea where this could be coming from?

To get away from infrastructure bugs, I sent my data to Elastic Cloud with a trial account, and I have the same issue.

I tested in version 7.15.2 and 7.17.

Thank you for your question and for trying Elastic SIEM! I will find someone to help with your EQL/KQL issue, but in the meantime, can you elaborate on the technical reasons you are unable to use Elastic Agent?


Hi @Why ,

By default, the Hosts File Modified rule runs every five minutes, and looks at the last nine minutes of events (via event.ingested). It's unclear from your screenshots whether those events fall within the last nine minutes, but you can verify whether that's the issue by increasing the Additional look-back time on your duplicated rule's schedule. If that's not the issue, I would recommend writing a much simpler EQL rule (e.g. any where true), verifying that it generates alerts, and building from that until the issue is found.

Other common problems to keep in mind: a mapping conflict between the event data and the destination alerts index would cause alerts not to be written. Permissions issues would also cause problems. In both cases, however, warnings and/or errors would be shown on the rule's details page (Last response, Failure History Tab).

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.