Dear Team,
I have setup a test environment on elastic cloud and i am ingesting windows events.
I created an index with below mapping
PUT alerts-security
{
"settings" : {
"number_of_shards" : 1
},
"mappings" : {
"properties" : {
"rule_id" : { "type" : "text" },
"rule_name" : { "type" : "text" },
"alert_id" : { "type" : "text" },
"context_message": { "type" : "text" },
"@timestamp": { "type" : "date" }
}
}
}
afterwards created an aliases for the index
POST _aliases
{
"actions": [
{
"add": {
"index": "alerts-security",
"alias": ".alerts-security.alerts-default"
}
}
]
}
after that created an connector with the below screenshot1.
after that created a rule for windows authentication failure below screenshot attached screenshot2, screenshot3, screenshot4
But i could not observe any alert on the alert page please find the screenshot attached below
But i can observe the data in the alert index Please find the screenshot attached below
I can also query the alert index please find the screenshot attached below
requesting support and guidance am i missing something.
Best Regards