ElastAlert: Rule Mismatch

[kubratmaca]

Version

2.4.80

Installation Method

Security Onion ISO image

Description

installation

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8 GB

RAM

32 GB

Storage for /

1 TB

Storage for /nsm

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

Yes, there are salt failures (please provide detail below)

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

elasticalert rule mismatch and no alerts

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

Is this Sigma rule - 24e3e58a-646b-4b50-adef-02ef935b9fc8 - Hacktool Execution - Imphash enabled? If so, try and disable and see if that solves the issue.

Also, if you click on the words Rule Mismatch it will pivot to logs in Hunt, look at the integrity check failed logs and see if there are any clues.

[kubratmaca]

problem solved thanks