I am trying to add a threat intelligence in my SIEM,
I downloaded the database of malware hashes, and I am using auditbeat file integrity to detect malware, and then I created a rmatch rule like that:
and then I download a malware in my windows machine, and as we can see, when I filter by it's hash I can see it in auditbeat discover :
and we can also see it in my malware database:
But when the rule executes, It didn't generate any alert ! (we can see that the rule succeeded)
Could you please explain to me why this is happening ?