Machine Learning rule does not trigger while

Poukim0m · April 10, 2024, 1:00pm

Hello,

i have created a machine learning job and i have selected this job in the correspondent machine learning rule in Security->Rules-> Detection Rules and have added as action a notification to my e-mail.
I have also set up a notification email on the machine learning job level.

However i am not receiving any notification from the ML rule. I am receiving notification only from the job.
Have you got any idea why this happens?

Thank you in advance,
Vivian

Maxim_Palenov · April 10, 2024, 7:32pm

Hi @Poukim0m,

There are multiple reasons why you don't receive notification emails. You need to make sure the following

Alerts are generated by the rule. Actions get triggered for alerts generated by the rule. If there are no alerts no actions will be triggered.
There is a properly configured email connector. You can send a test email to make sure credentials are correct and connectors works as expected.
An email action using the mentioned connector is added to the rule and rule saved so you can see the added action on the rule details page
Rule is not snoozed. Rule snoozing disables actions. While rule is snoozed actions won'e be triggered for generated alerts.

Let me know if it didn't help.

Poukim0m · April 19, 2024, 12:17pm

Hi Maxim.

Thank you for your response.
I receive alerts from jobs but at the same time alerts are not created by the corresponding rule.

Is there something more to check? Because it does not make sense

Poukim0m · April 24, 2024, 8:04am

Hello, just to let you know that after attending an elastic workshop i was able to find the solution to this. I had to widen the lookback time of the detection rule.