I'm trying to get started with Elastic SIEM and I noticed a problem.
To retrieve the logs, I use Auditbeat (for technical reasons, I can't use Elastic Agent).
I have the impression that none of the rules written in EQL format work, where those written in KQL work.
For example, I'm trying to trigger the Hosts File Modified rule. To do this, I modify my /etc/hosts file on my Linux machine.
I can see the data coming up in Discover. However, the rule is not triggered: I don't see it in Security - Alerts.
Thank you for your question and for trying Elastic SIEM! I will find someone to help with your EQL/KQL issue, but in the meantime, can you elaborate on the technical reasons you are unable to use Elastic Agent?
By default, the Hosts File Modified rule runs every five minutes, and looks at the last nine minutes of events (via event.ingested). It's unclear from your screenshots whether those events fall within the last nine minutes, but you can verify whether that's the issue by increasing the Additional look-back time on your duplicated rule's schedule. If that's not the issue, I would recommend writing a much simpler EQL rule (e.g. any where true), verifying that it generates alerts, and building from that until the issue is found.
Other common problems to keep in mind: a mapping conflict between the event data and the destination alerts index would cause alerts not to be written. Permissions issues would also cause problems. In both cases, however, warnings and/or errors would be shown on the rule's details page (Last response, Failure History Tab).
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
