I have successfully installed the elastic-agent on Kubernetes cluster and see them showing up in the fleet.
I turned on bunch of rules, I see them as enabled. now I want to be able to trigger one of those rules. something simple like Suspicious CronTab Creation or Modification.
I ssh into the node that fleet is monitoring and create a crontab. I waited for 15 minutes but I don't see any execution for this rule getting triggered.
what am I missing here?
Hey @iojas, that rule aims to detect Suspicious CronTab creation or modification on MacOS systems.
To trigger the rules is essential to understand them first. For example, to trigger Suspicious CronTab Creation or Modification, you need to create a file in the /private/var/at/tabs/ directory using a process other than /usr/bin/crontab, which is MacOS specific.
We also provide some scripts to trigger rules in the detection rules repo, that you can use to some of the rules.
Let me know if you have questions.
J
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.