SIEM Event Correlation rule returns no data

pruttle · December 8, 2021, 9:27am

Kibana version 7.14.1
I am creating an Event Correlation rule in SIEM and the preview does not return any results. If I do the same query in Dev Tools it works.
I see that the preview runs some kind of java script but the dev tools appear to do a standard web request.
If I copy the request from Event Correlation which looks like this:

{ "filter: 
     { "range": { "@timestamp" 
            { "gte" : "2021-12-07T09:03:22.318Z", 
               "lte" : "2021-12-08T09:03:22.318Z",
                "format" : "strict_date_optional_time"  }
    }}}
,
"query": "process where xxxxx == xxxx", "size": 100 }

If I paste into Dev Tools and GET on a wild card or specific index it works.
Is it possible there is a permissions issue? I am using the same account for the preview and the query.
Thanks

Frank_Hassanabad · December 9, 2021, 9:10pm

I wonder if you're encountering this issue:

github.com/elastic/kibana

[Security Solution][Detections] No results in Rule Preview

opened 08:14PM - 18 Nov 21 UTC

banderror

bug v8.0.0 Team:Detections and Resp Team: SecuritySolution

## Summary I have a test index for source events with custom non-ECS fields. …If I create a rule that targets this index, I can't see any results in the Rule Preview, but the rule is able to find the events and generate alerts if you save and run it. ## Repro steps Create a custom index for source events and write a test object with a timestamp as of today: ``` PUT /sdh-247 { "mappings": { "dynamic": "true", "properties": { "@timestamp": { "type": "date" }, "deviceCustomDateLabel": { "type": "keyword" }, "deviceCustomDate_Date": { "type": "date" }, "deviceCustomDate_Long": { "type": "long" }, "deviceCustomDate_DateNanos": { "type": "date_nanos" } } }, "settings": { "index": { "number_of_shards": 1 } } } PUT /sdh-247/_doc/1 { "@timestamp": "2021-11-18T12:10:30Z", "deviceCustomDateLabel": "TRENUTAN_DATUM_UO", "deviceCustomDate_Date": "2021-11-18T12:10:30Z", "deviceCustomDate_Long": 1074640200000, "deviceCustomDate_DateNanos": 1074640200000 } ``` Create a Custom query rule that should generate an alert based off of it: ![](https://puu.sh/Iq2on/fc109c736a.png) Observe no results in the Rule Preview: ![](https://puu.sh/Iq2p3/3c9c0fe685.png) Set a sufficient look-back time so the rule could find the source event (e.g. 48 hours). Save and run this rule, and it should find the event and generate an alert from it: ![](https://puu.sh/Iq2qR/1205892ea9.png) ## Environment Local dev environment Branch: `main` Kibana config: ```yml elasticsearch: username: 'kibana_system' password: 'changeme' hosts: 'http://localhost:9200' xpack.ruleRegistry.write.enabled: true xpack.ruleRegistry.unsafe.indexUpgrade.enabled: true xpack.ruleRegistry.unsafe.legacyMultiTenancy.enabled: true xpack.securitySolution.enableExperimental: ['ruleRegistryEnabled'] ```

pruttle · December 13, 2021, 3:20pm

Thanks for the reply. I don't think this is this issue but presumably an update would fix it? Cheers

pruttle · December 17, 2021, 9:06am

When I look at a document where the preview works, the @timestamp value is in the _source section of the JSON.
A document where the preview does not work has the @timestamp in the _fields section.

Presumably the SIEM Event Correlation EQL query runs against the _source only?

system · January 14, 2022, 9:06am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.