Hi Everyone, We have create a detection rule threshold in SIEM but it's not showing any output or alerts. We can see the results in Preview Results but no alert is scene. Please check the image below for reference and suggest here.
Hey there @subham
Can you please provide the stack version you're working on?
Regardless of version, here are some things to check:
-
What is the Rule's configured schedule (interval/lookback)? The preview will default to
Last hour
, so if your Rule runs every 5 minutes + 4 minute lookback, it'll only be querying the previous 9 minutes, and so will not be looking at the same daterange as the preview. You can increase the interval/lookback to cover a larger range and see if that works in testing.
-
Is there a
Timestamp override
field configured? If I recall correctly, the preview will use@timestamp
as the date field when querying for results, so if you have a differentTimestamp override
field configured (underAbout->Advanced settings
when editing a rule) you may see a mis-match here.
-
Is the Rule executing successfully? If you go to the
Rule Details
page for this Rule, is theLast Response
as the topsucceeded
? Is an error banner displayed, or do you see any specific errors under theFailure History
tab at the bottom of the page? If so, can you share the error?
Hope this helps! Let us know your version or if any of the above works and we can help debug further!
Cheers!
Garrett
Hi @spong , Thanks for the reply. I made changes in the Scheduled interval time and it's working now.
Can you tell if we can export these raw alerts cause I can't see any option to export.
Awesome -- glad to hear it's working now!
As for exporting raw alerts, there isn't an explicit feature within the Security App to do this, but you can hop on over to Discover
, select your alerts index (may need to create one first for .siem-signals-*
, which will match all alerts in all spaces) and then use the CSV Reports
export feature.
Alternatively, depending on what you're trying to do with them, you can configure one of the Rule Actions
to push your alert data elsewhere once detected (or at regular intervals), e.g. using the webhook
action.
And of course there's the numerous elasticsearch
clients available for fetching this data programmatically.
That said, if these don't meet your needs please feel free to open a feature request (adding the Security Solution
label) outlining your usecase.
Hope this helps!
Cheers!
Garrett
Thanks for the help Garrett, I'm able to export the alerts by creating the index (.siem-signals).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.