Unable to observe Security alerts in Elastic Security

Dear Team,

I have setup a test environment on elastic cloud and i am ingesting windows events.
I created an index with below mapping

PUT alerts-security
{
"settings" : {
"number_of_shards" : 1
},
"mappings" : {
"properties" : {
"rule_id" : { "type" : "text" },
"rule_name" : { "type" : "text" },
"alert_id" : { "type" : "text" },
"context_message": { "type" : "text" },
"@timestamp": { "type" : "date" }
}
}
}

afterwards created an aliases for the index

POST _aliases
{
"actions": [
{
"add": {
"index": "alerts-security",
"alias": ".alerts-security.alerts-default"
}
}
]
}

after that created an connector with the below screenshot1.

after that created a rule for windows authentication failure below screenshot attached screenshot2, screenshot3, screenshot4

But i could not observe any alert on the alert page please find the screenshot attached below

But i can observe the data in the alert index Please find the screenshot attached below

I can also query the alert index please find the screenshot attached below

requesting support and guidance am i missing something.

Best Regards

1 Like

resolved it by creating the rules through detection section.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.