Missing index .siem-signals-default

Elastic Security SIEM
1

Having 7.16.3 properly licensed with Platinum, I cannot run some (tried five) ML-rules from Security due to: ".siem-signals-default" missing.

I have Elastic Agent deployed with Security Endpoint activated and lots of data in logs-*
An error occurred during rule execution: message: "windows_rare_metadata_user,v2_windows_rare_metadata_user missing" name: "Unusual Windows User Calling the Metadata Service" id: "0f1f529c-79e7-11ec-8cb2-a14d75db9d36" rule id: "df197323-72a8-46a9-a08e-3f5b04a4a97a" signals index: ".siem-signals-default"

2

Welcome to our community! :smiley:

I would encourage you to open a Support request, as you're entitled to that with that license.

3

Trust me, I'm giving support a hard time with many of my newbie-questions.

Just evaluating if the forums are candidates for quicker answers for non-critical matters

1 Like
4

Hey there @slash24! :wave:

Sorry about the confusion here -- looks like that error message isn't helpful enough. Your signals index isn't actually missing, but rather one of the ML Jobs on that Rule isn't installed. In this case it looks like missing is added next to the job in question: v2_windows_rare_metadata_user missing.

To resolve, you can use the ML Job Settings UI to install the v2_windows_rare_metadata_user Job, or if you don't care about that Job and are just using windows_rare_metadata_user, you can clone the Rule and just remove the other Job by editing the Rule.

Rules_-_Kibana
Rules_-_Kibana2672×1574 454 KB

I've created this issue for improving the error messaging here -- hope this helps! :slightly_smiling_face:

Cheers!
Garrett

5

Thanks a lot for the effort!

1 Like
6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.