Signal SIEM Detections using log files


I ingested some data from firewall devices of which I would like to create rules in the Detections part of the Elastic SIEM.
I created a rule to detect Malware using a field of the log file which has that information.

The problem is I only have logs from a brief secuence of time (only a month of logs). I´m configuring in the SIEM calendar the value "Last 90 days", but no signals are shown from that period of time (logs are from March).
If I use the KQL query into Discover of Kibana, it works properly, so I think rule should be working.

My doubt is: why can´t I see the signal against this "old" file? Should be new data introduced again in Elasticsearch after rule is created? can´t I see signals using this period of time?

Thank you all.


The detection engine by default when you create a rule goes back by 5 minutes every 5 minutes looking for signals. It's more real time-ish than it is historic.

You could potentially either re-index your index to make it look like it is from recent times or configure a rule to run really really far backwards and then turn it on once and run it and then turn it off as a workaround if you want to.

Thank you very much for the information.


By the way, i have a doubt. I created a rule to detect if a windows event ID appear, so it means something happened. I would like to limit the alert I see in Detections side of the SIEM just for cases where the event appears more like X times. I mean, if for example I detect an event which means someone is trying to log into my host, I would like to see the Detections just if someone tried it during 5 times. So, if event appears 5 times, the "alert" is shown.

Is it possible?


It cannot do thresholds or counts like that just yet over a period of time. We are hoping soon though.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.