I ingested some data from firewall devices of which I would like to create rules in the Detections part of the Elastic SIEM.
I created a rule to detect Malware using a field of the log file which has that information.
The problem is I only have logs from a brief secuence of time (only a month of logs). I´m configuring in the SIEM calendar the value "Last 90 days", but no signals are shown from that period of time (logs are from March).
If I use the KQL query into Discover of Kibana, it works properly, so I think rule should be working.
My doubt is: why can´t I see the signal against this "old" file? Should be new data introduced again in Elasticsearch after rule is created? can´t I see signals using this period of time?
The detection engine by default when you create a rule goes back by 5 minutes every 5 minutes looking for signals. It's more real time-ish than it is historic.
You could potentially either re-index your index to make it look like it is from recent times or configure a rule to run really really far backwards and then turn it on once and run it and then turn it off as a workaround if you want to.
By the way, i have a doubt. I created a rule to detect if a windows event ID appear, so it means something happened. I would like to limit the alert I see in Detections side of the SIEM just for cases where the event appears more like X times. I mean, if for example I detect an event which means someone is trying to log into my host, I would like to see the Detections just if someone tried it during 5 times. So, if event appears 5 times, the "alert" is shown.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.