Hi people, I'm new at this forum so nice to meet you.
I'm testing the detection power of Elastic SIEM and in some cases it doesn't detect the rule events. This is a case:
Signal detection rule: SMTP to Internet (it's a pre-built rule)
Index patterns: filebeat-*
Custom query: network.transport:tcp and destination.port:(25 or 465 or 587) and source.ip:(10.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16) and not destination.ip:(10.0.0.0/8 or 127.0.0.0/8 or 172.16.0.0/12 or 192.168.0.0/16 or "::1")
In one of my server with filebeat, I execute "telnet x.x.x.x 25" (x.x.x.x is the public IP from a SMTP server), but when I go to Discover and select the Filebeat index to look for the query fields, I see that the following fields don't exist in the given index:
Is it possible that these fields don't appear in filebeat index because of my filebeat configuration ?
- add_host_metadata: ~
Because the "SMTP to Internet" pre-built rule searches into filebeat-* by default.
Thank yoy very much.