We have email alerts on two rules that stopped working upon the Update to 8.1.3
This example shown below is the Rule that shows the Windows Service Accounts that have failed log ons. I have this working as shown below and the issue is shown below.
Query is
winlog.event_id : "4625" and (user.name : svc* or user.name : svc or user.name : WIN- or user.name : .* or user.name : Svc or user.name : Svc or user.name : *$ )
Group by is
user.name and winlog.computer_name
Threshold
Results aggregated by user.name,winlog.computer_name >= 10
Under Actions of the Rule Settings we currently have this set to Email, and the following works:
Rule {{context.rule.name}} generated {{state.signals_count}} alerts
{{context.rule.description}}
Below is a list of the Failed Logons for the Windows Service Accounts :
{{#context.alerts}}
User Name : {{user.name}}
Source Computer: {{winlog.computer_name}} .
{{/context.alerts}}
Click the link for investigations;
Result is the following email;
Rule sw_Windows Service Failed Logons generated 25 alerts Windows Service Accounts ; where the winlog.event_id : "4625" and (user.name : svc* or user.name : svc or user.name : WIN- or user.name : .* or user.name : *Svc or user.name : *$ ) AND the Count on Failed logon Attempt is greater than or equal to 10.
Below is a list of the Failed Logons for the Windows Service Accounts :
User Name : UserName$
Source Computer: We are getting the computer name here, just removed this for security sake.
User Name : UserNamesvc
Source Computer: We are getting the computer name here, just removed this for security sake.
ISSUE IS
According to the documentation, the following should work and this did work on the previous release, but the “signal.threshold” loop is not working since the upgrade.
Plus we also need to have the count for each “{{value}}”.
{{#context.alerts}}
{{#signal.threshold_result.terms}}
{{value}}
{{/signal.threshold_result.terms}}
{{/context.alerts}}
Link to the documentation that shows the above Create a detection rule | Elastic Security Solution [8.1] | Elastic
If you need more information please let me know