How to test Elasticsearch rules?

I have successfully installed the elastic-agent on Kubernetes cluster and see them showing up in the fleet.

I turned on bunch of rules, I see them as enabled. now I want to be able to trigger one of those rules. something simple like Suspicious CronTab Creation or Modification.

I ssh into the node that fleet is monitoring and create a crontab. I waited for 15 minutes but I don't see any execution for this rule getting triggered.

what am I missing here?

Hey @iojas, that rule aims to detect Suspicious CronTab creation or modification on MacOS systems.

To trigger the rules is essential to understand them first. For example, to trigger Suspicious CronTab Creation or Modification, you need to create a file in the /private/var/at/tabs/ directory using a process other than /usr/bin/crontab, which is MacOS specific.

We also provide some scripts to trigger rules in the detection rules repo, that you can use to some of the rules.

Let me know if you have questions.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.