Hi Everyone, We have create a detection rule threshold in SIEM but it's not showing any output or alerts. We can see the results in Preview Results but no alert is scene. Please check the image below for reference and suggest here.
Hey there @subham
Can you please provide the stack version you're working on?
Regardless of version, here are some things to check:
What is the Rule's configured schedule (interval/lookback)? The preview will default to
Last hour, so if your Rule runs every 5 minutes + 4 minute lookback, it'll only be querying the previous 9 minutes, and so will not be looking at the same daterange as the preview. You can increase the interval/lookback to cover a larger range and see if that works in testing.
Is there a
Timestamp overridefield configured? If I recall correctly, the preview will use
@timestampas the date field when querying for results, so if you have a different
Timestamp overridefield configured (under
About->Advanced settingswhen editing a rule) you may see a mis-match here.
Is the Rule executing successfully? If you go to the
Rule Detailspage for this Rule, is the
Last Responseas the top
succeeded? Is an error banner displayed, or do you see any specific errors under the
Failure Historytab at the bottom of the page? If so, can you share the error?
Hope this helps! Let us know your version or if any of the above works and we can help debug further!
Hi @spong , Thanks for the reply. I made changes in the Scheduled interval time and it's working now.
Can you tell if we can export these raw alerts cause I can't see any option to export.
Awesome -- glad to hear it's working now!
As for exporting raw alerts, there isn't an explicit feature within the Security App to do this, but you can hop on over to
Discover, select your alerts index (may need to create one first for
.siem-signals-*, which will match all alerts in all spaces) and then use the
CSV Reports export feature.
Alternatively, depending on what you're trying to do with them, you can configure one of the
Rule Actions to push your alert data elsewhere once detected (or at regular intervals), e.g. using the
And of course there's the numerous
elasticsearch clients available for fetching this data programmatically.
That said, if these don't meet your needs please feel free to open a feature request (adding the
Security Solution label) outlining your usecase.
Hope this helps!
Thanks for the help Garrett, I'm able to export the alerts by creating the index (.siem-signals).
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.