Rules not triggering alerts

Hello,
I am creating so simple custom rules, which supposed to trigger alerts

• my ELK version is 7.14
• i have tested the query in the discover section and it retrieve a result, so the rule should trigger and alert
• is there rule detection log or something? how to troubleshoot this issue?

Hey @john12 ,

Thanks for your question. Here are a couple things that come to mind for troubleshooting a detection rule.

• Checkout the troubleshooting docs: Monitor and troubleshoot rule executions | Elastic Security Solution [7.14] | Elastic
• Try leveraging the preview to see what alerts would be triggered when creating your rule

Example preview

image1237×747 54.3 KB

• Check the Rule Monitoring tab to see if there are warnings or errors for your rule

Rule Monitoring

image1705×442 40.1 KB

• There are detection logs, they are written to the Kibana logs

Hello I have been having the same issue with 7.14.1 while in 7.13, same rules with same logs work just fine and the alert is triggered.
It is no crazy query just event.code:"1116" which is for defender that a malware is found.
I can verify that i see it in my winlogbeat logs but the alert even though in monitoring says it is run, there are no alerts triggered.
This is a custom rule, the default ones work just fine.

Thats right, i discovered thats its a bug not solved yet

Hello,

Did you check if there is any delay in receiving logs in ELK. If at the level of the Schedule rule you have Run every 5 and in additional look-back time = 1 then the rules will be applied only to the events received during the last 6 min

Best regards,

Hello frank_rib, yes i did the test at the same time while the rule was checking for even 10 minutes before.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.