Event correlation query not generating detection alerts

Nil_Battey_Sannata · April 26, 2021, 7:24am

This is prebuilt detection rule with event correlation. If I am executing query manually then it showing the correct hits.

But this is not generating any alerts.

Same story with every rule with event correlation. Rules with simple query are working as expected.

Nil_Battey_Sannata · April 26, 2021, 11:27am

Can someone help here? Updates are here- Event correlation query not generating detection alerts · Issue #1151 · elastic/detection-rules · GitHub

Felix_Roessel · April 26, 2021, 3:58pm

@jamesspi Could you help as you also worked on the github issue?

jamesspi · April 26, 2021, 4:10pm

Hey @Felix_Roessel , this is resolved now - the sysmon module does not populate event.ingested, causing the detection rule to miss, since it's specified as an override field. The solution is to remove the override.

system · May 24, 2021, 4:11pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Correlation rules not working SIEM elastic-stack-alerting	1	429	May 22, 2021
Detection Rules don't alert SIEM	5	866	September 10, 2021
Problem with Detections - Custom query rule SIEM	10	674	September 8, 2022
Rules not triggering alerts Elastic Security detection-rules	6	3153	October 19, 2021
SIEM Event Correlation rule returns no data SIEM	4	630	January 14, 2022

Event correlation query not generating detection alerts

Related Topics