I am facing a particular error regarding many pre-built Elastic rules. Once they were activated, many of them start failing when executing - with the error:
An error occurred during rule execution: message: "verification_exception".
Some of these rules include:
- Suspicious .NET Code Compilation
- Suspicious WMI Image Load from MS Office
- NTDS or SAM Database File Copied
- Lateral Movement via Startup Folder
It appears that these rules' queries are written in EQL, and that they typically have 3 index patterns:
logs-windows.*. I have only got Winlogbeat in my case, without Elastic Agents/Endpoints running.
Must I have all 3 of the index patterns present in order for these rules to execute successfully?
For reference, a slight variation of this issue is found in this GitHub issue.