No data showing in SIEM Detection tab

Hi Everyone, We have create a detection rule threshold in SIEM but it's not showing any output or alerts. We can see the results in Preview Results but no alert is scene. Please check the image below for reference and suggest here.


Hey there @subham :wave:

Can you please provide the stack version you're working on?

Regardless of version, here are some things to check:

  • What is the Rule's configured schedule (interval/lookback)? The preview will default to Last hour, so if your Rule runs every 5 minutes + 4 minute lookback, it'll only be querying the previous 9 minutes, and so will not be looking at the same daterange as the preview. You can increase the interval/lookback to cover a larger range and see if that works in testing.

  • Is there a Timestamp override field configured? If I recall correctly, the preview will use @timestamp as the date field when querying for results, so if you have a different Timestamp override field configured (under About->Advanced settings when editing a rule) you may see a mis-match here.

  • Is the Rule executing successfully? If you go to the Rule Details page for this Rule, is the Last Response as the top succeeded? Is an error banner displayed, or do you see any specific errors under the Failure History tab at the bottom of the page? If so, can you share the error?

Hope this helps! Let us know your version or if any of the above works and we can help debug further! :slightly_smiling_face:

Cheers!
Garrett

1 Like

Hi @spong , Thanks for the reply. I made changes in the Scheduled interval time and it's working now.
Can you tell if we can export these raw alerts cause I can't see any option to export.

Awesome -- glad to hear it's working now! :slightly_smiling_face:

As for exporting raw alerts, there isn't an explicit feature within the Security App to do this, but you can hop on over to Discover, select your alerts index (may need to create one first for .siem-signals-*, which will match all alerts in all spaces) and then use the CSV Reports export feature.

Alternatively, depending on what you're trying to do with them, you can configure one of the Rule Actions to push your alert data elsewhere once detected (or at regular intervals), e.g. using the webhook action.

And of course there's the numerous elasticsearch clients available for fetching this data programmatically.

That said, if these don't meet your needs please feel free to open a feature request (adding the Security Solution label) outlining your usecase.

Hope this helps!

Cheers!
Garrett

1 Like

Thanks for the help Garrett, I'm able to export the alerts by creating the index (.siem-signals).

1 Like