"SMTP to Internet" signal detection rule is not fired up by Elastic SIEM

Hi people, I'm new at this forum so nice to meet you.

I'm testing the detection power of Elastic SIEM and in some cases it doesn't detect the rule events. This is a case:

Signal detection rule: SMTP to Internet (it's a pre-built rule)
Index patterns: filebeat-*
Custom query: network.transport:tcp and destination.port:(25 or 465 or 587) and source.ip:( or or and not destination.ip:( or or or or "::1")

In one of my server with filebeat, I execute "telnet x.x.x.x 25" (x.x.x.x is the public IP from a SMTP server), but when I go to Discover and select the Filebeat index to look for the query fields, I see that the following fields don't exist in the given index:


Is it possible that these fields don't appear in filebeat index because of my filebeat configuration ?


  • type: log
    enabled: true

    • /var/log/.log
      path: ${path.config}/modules.d/
      reload.enabled: false
      index.number_of_shards: 1
      host: "https://siem.example.com:5601"
      hosts: ["siem.example.com:9200"]
      protocol: "https"

    username: "elastic"
    password: "xxx"
    ssl.certificate_authorities: ["/etc/ssl/certs/ca.crt"]

    • add_host_metadata: ~

Because the "SMTP to Internet" pre-built rule searches into filebeat-* by default.

Thank yoy very much.


Hey there Jelo -- thanks for joining the community! :slightly_smiling_face:

And yes, you are correct about those fields not being populated because of your configuration. For filebeat to index those fields you'll either need to add a module that populates those fields (Cisco, haproxy, Netflow, Suricata, Zeek), or have a log file that has those fields present.

Alternatively, you could use Packetbeat or Auditbeat which would cover most of the other Network rules as well.

Hope that helps, and let us know if you have any issues getting the rule to fire once those fields are populated. Cheers!


Hi Garret, I've just read your response.

Thanks a lot for your useful help.

Cheers !!!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.