Security Rules with Endgame get an error


In Elastic Security there are 4 rules which don’t work because Endgame is replaced by Endpoint. The rules are:

  • Malware - Detected - Elastic Endgame
  • Malware - Prevented - Elastic Endgame
  • Ransomware - Detected - Elastic Endgame
  • Ransomware - Prevented - Elastic Endgame

These rules get the following error:

“This rule is attempting to query data from Elasticsearch indices listed in the "Index pattern" section of the rule definition, however no index matching: ["endgame-*"] was found.”

I can make a clone of the rules and change the index to ‘endpoint-*’ , but I think the fieldnames do not look the same.

Any ideas? Or better, let Elastic distribute new rules for these.



Hey Herman :wave: ,

These rules are intended to be promotion rules for users still using the endgame sensor and platform (as opposed to using the endpoint sensor). The raw endgame logs and alerts get logged to the specified endgame-* indexes, so this is to create alerts in the security app.

Essentially, if you are an endpoint user, you can effectively ignore them.


Hi Justin,

Thanks for your answer. I understand that the mentioned use cases are only for Endgame users. But I am wondering if there are the same 4 for Endpoint Users?

So does our SIEM detect ramson- and malware and report about it? I don’t see those Use Cases.



Yes it does - refer to this rule

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.