Issue with Signals in ELK7.8

jancodenew · March 9, 2021, 1:00pm

Hi,

I have 200 rule signals running. There are 80 Elastic default rules and 120 custom rules.

Last response of most of the rules are showing succeeded but last run is 6 days ago and more. There is no error message.

Please help me to resolve this issue.

yctercero · March 9, 2021, 4:10pm

Hi @jancodenew ,

Thanks for posting. It may be helpful to get more details on one of the rules you're seeing this happen for to better triage.

Are the rules you are seeing run as "[ X ] days ago" prepackaged, custom or are you seeing it occur for both?
What sort of interval is set on the rule?
Are there any messages under the rule details Failure History tab?
Has it previously successfully generated alerts?
If you disable and re-enable one of these rules, do you see any failures?

I believe it was in 7.9+ that we addressed some feedback to make triaging such situations easier. If possible to do so, it could be helpful to update to the latest version.

jancodenew · March 16, 2021, 6:32am

Replied inline. Please check,

yctercero · March 23, 2021, 11:02pm

Hi @jancodenew -

Apologies for the delayed response. Are you continuing to encounter this issue? What were some of the failure messages you mentioned appeared under the rule details of some of the rules that appear to not have run for a long time?

system · April 20, 2021, 11:02pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SIEM Rule Failures SIEM	6	784	March 1, 2021
Detection Custom Rule not working SIEM	18	2457	March 28, 2020
Custom detection rules failing in bulk Elastic Security detection-rules	3	363	March 26, 2021
Custom Query detection Rule is not runnig on my elk Elastic Security	3	349	April 6, 2023
Rules in ElasticSIEM not create signals SIEM	5	549	May 14, 2020

Issue with Signals in ELK7.8

Related Topics