Missing index .siem-signals-default

slash24 · February 28, 2022, 9:48pm

Having 7.16.3 properly licensed with Platinum, I cannot run some (tried five) ML-rules from Security due to: ".siem-signals-default" missing.

I have Elastic Agent deployed with Security Endpoint activated and lots of data in logs-*
An error occurred during rule execution: message: "windows_rare_metadata_user,v2_windows_rare_metadata_user missing" name: "Unusual Windows User Calling the Metadata Service" id: "0f1f529c-79e7-11ec-8cb2-a14d75db9d36" rule id: "df197323-72a8-46a9-a08e-3f5b04a4a97a" signals index: ".siem-signals-default"

warkolm · February 28, 2022, 9:59pm

Welcome to our community!

I would encourage you to open a Support request, as you're entitled to that with that license.

slash24 · February 28, 2022, 11:11pm

Trust me, I'm giving support a hard time with many of my newbie-questions.

Just evaluating if the forums are candidates for quicker answers for non-critical matters

spong · March 2, 2022, 8:47pm

Hey there @slash24!

Sorry about the confusion here -- looks like that error message isn't helpful enough. Your signals index isn't actually missing, but rather one of the ML Jobs on that Rule isn't installed. In this case it looks like missing is added next to the job in question: v2_windows_rare_metadata_user missing.

To resolve, you can use the ML Job Settings UI to install the v2_windows_rare_metadata_user Job, or if you don't care about that Job and are just using windows_rare_metadata_user, you can clone the Rule and just remove the other Job by editing the Rule.

I've created this issue for improving the error messaging here -- hope this helps!

Cheers!
Garrett

slash24 · March 7, 2022, 7:38pm

Thanks a lot for the effort!

system · April 4, 2022, 7:39pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.