I ingested some data from firewall devices of which I would like to create rules in the Detections part of the Elastic SIEM.
I created a rule to detect Malware using a field of the log file which has that information.
The problem is I only have logs from a brief secuence of time (only a month of logs). I´m configuring in the SIEM calendar the value "Last 90 days", but no signals are shown from that period of time (logs are from March).
If I use the KQL query into Discover of Kibana, it works properly, so I think rule should be working.
My doubt is: why can´t I see the signal against this "old" file? Should be new data introduced again in Elasticsearch after rule is created? can´t I see signals using this period of time?
Thank you all.