Unable to observe Security alerts in Elastic Security

Elastic Security
1

Dear Team,

I have setup a test environment on elastic cloud and i am ingesting windows events.
I created an index with below mapping

PUT alerts-security
{
"settings" : {
"number_of_shards" : 1
},
"mappings" : {
"properties" : {
"rule_id" : { "type" : "text" },
"rule_name" : { "type" : "text" },
"alert_id" : { "type" : "text" },
"context_message": { "type" : "text" },
"@timestamp": { "type" : "date" }
}
}
}

afterwards created an aliases for the index

POST _aliases
{
"actions": [
{
"add": {
"index": "alerts-security",
"alias": ".alerts-security.alerts-default"
}
}
]
}

after that created an connector with the below screenshot1.

image
image2197×943 112 KB

after that created a rule for windows authentication failure below screenshot attached screenshot2, screenshot3, screenshot4

image
image925×1216 51.2 KB

image
image930×1195 55.1 KB

image
image928×1195 59 KB

image
image2202×1012 105 KB

image
image2193×1287 215 KB

But i could not observe any alert on the alert page please find the screenshot attached below

image
image2559×1249 130 KB

image
image2554×1026 139 KB

But i can observe the data in the alert index Please find the screenshot attached below

image
image2559×1003 202 KB

I can also query the alert index please find the screenshot attached below

image
image2559×1315 418 KB

requesting support and guidance am i missing something.

Best Regards

1 Like
2

resolved it by creating the rules through detection section.

3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.