I've imported the default Elastic rules, and duplicated the 'whoami' rule. When I preview the rule, it shows hits, but there are no alerts raised. I feel that I'm missing something super obvious, but I would expect to see items listed under open Alerts if I'm getting matches when previewing the rule.
Sounds like maybe this is the same problem?
I've researched some more, and it appears that custom queries using KQL are working properly, but it appears alerts using EQL (maybe others) are not firing for some reason. Any ideas?
While this doesn't give you an answer, I can confirm that these rules are working in my 7.14 environment. I used the prebuilt whoami rule and an alert was generated. I also duplicated the rule, verified results were previewing, and saved the rule and generated a detection event which resulted in an alert.
The only thing I could think of is maybe an issue with your rule lookback time, but I'm sure you have tried adjusting that already.
Following as this is a problem in 7.15 as well. Custom rules do not trigger correctly.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.