-
Notifications
You must be signed in to change notification settings - Fork 8.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Endpoint Security Rules are Failing on On-Prem usage (seen on 7.11.0 BC6 and 8.0/master) #90401
Comments
@manishgupta-qasource Please review |
Reviewed & Assigned to @MadameSheema |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Thanks for reporting this issue. @karanbirsingh-qasource does the error go away after the windows Endpoint starts sending data to the server? |
The You can verify in Kibana Dev Tools by running the following query after installing the endpoint but before it sends the first alert.
Then you can run the same query again after the Endpoint sends the first alert to verify the mapping is now present.
After the mapping and index pattern are present, the rule will execute successfully: |
Following from the meeting, I created this issue to attempt to create data_streams before the Endpoint sends the first document. #90672 After speaking with @scunningham the fix may not be straightforward since there is a bit of context involved in naming the data_streams correctly (i.e. what is the |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Hi @peluja1012 We have validate this issue on 7.11.1 BC1 On-Cloud and found that issue is still occurring . Endpoint security detection's rules are Failing. However Endpoint Security Rule got to success state after first alert signals generated for the respective rule. Build Details:
C.C @kevinlog |
This is a feature 😉 I have merged a branch to 7.11.2 which will replace these failing statuses with a warning. But we have already heard from users that they didn't know they didn't get the endpoint integration out of the box so this has been helpful. Definitely not a bug though. |
Hi there, i'm having the same issue with a fresh install. I only have linux hosts with agents installed on (no windows), and i'm trying to generate an alert to initiate the logs-endpoint.alerts index without success. I have been trying to trigger an alert using out of the box elastic detection rules regarding nmap process detection and telnet activity (easy to trigger). Additionnally if I search in logs for nmap, I can see from metricbeat source the events I generated on namespace default, but I can't see the events on custom namespaces (Using different policies i got agent on default namespace and agents on custom namespaces; I generated the 'malicious activity' from both). Any idea of what is going on there? |
After days of troubleshooting, finally tried with a VM instead of a container. |
Describe the bug
Endpoint Security Rules are Failing on 7.11.0 BC6 On-Prem
Build Details:
Browser Details
All
Preconditions
1.Elastic Stack environment version 7.11.0 BC6 should be available.
2.Install the Endpoint security on above environment
Steps to Reproduce
Error: The following index patterns did not match any indices: ["logs-endpoint.alerts-*"]
Actual Result
Endpoint Security Rules are Failing on 7.11.0 BC6 On-Prem
Expected Result
Endpoint Security Rules should not Fail on 7.11.0 BC6 On-Prem
Whats Working
Whats Not Working
Screenshots
logs
Observed that required index "logs-endpoint.alerts-" mentioned in error message in missing in below response
Kibana error
Endpoint Log
endpoint-000000.zip
The text was updated successfully, but these errors were encountered: