In Elastic Security there are 4 rules which don’t work because Endgame is replaced by Endpoint. The rules are:
Malware - Detected - Elastic Endgame
Malware - Prevented - Elastic Endgame
Ransomware - Detected - Elastic Endgame
Ransomware - Prevented - Elastic Endgame
These rules get the following error:
“This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["endgame-*"] was found.”
I can make a clone of the rules and change the index to ‘endpoint-*’ , but I think the fieldnames do not look the same.
Any ideas? Or better, let Elastic distribute new rules for these.
These rules are intended to be promotion rules for users still using the endgame sensor and platform (as opposed to using the endpoint sensor). The raw endgame logs and alerts get logged to the specified endgame-* indexes, so this is to create alerts in the security app.
Essentially, if you are an endpoint user, you can effectively ignore them.
Thanks for your answer. I understand that the mentioned use cases are only for Endgame users. But I am wondering if there are the same 4 for Endpoint Users?
So does our SIEM detect ramson- and malware and report about it? I don’t see those Use Cases.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.