Reboot the kibana and elasticsearch will do the trick after reconfigure the rules and policy.
For some background context, Elastic Defend/Endpoint autonomously protects hosts. If it received a successful policy application in the past then it will protect the host even if something is not working with Kibana, Elasticsearch, or Fleet Server. Given that rebooting fixed your issue my presumption is there had not been a successful policy application until you rebooted Kibana.
I think the main reason could be the ram of VM.
The main problem was
Security → Alert , can not auto update the alerts after running a malware.
For example , before I run the mimikatz , the Alert shows 10 alerts.
The refresh button is not working ,still 10
And after I reboot the kibana and elastic , it shows 12.