Alerts not being generated despite Kibana populating #14247
Replies: 1 comment
-
|
Try the following command |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Version
2.4.120
Installation Method
Security Onion ISO image
Description
configuration
Installation Type
Standalone
Location
on-prem with Internet access
Hardware Specs
Exceeds minimum requirements
CPU
16
RAM
32
Storage for /
500 GB
Storage for /nsm
74 GB
Network Traffic Collection
span port
Network Traffic Speeds
Less than 1Gbps
Status
Yes, all services on all nodes are running OK
Salt Status
No, there are no failures
Logs
No, there are no additional clues
Detail
SecurityOnion is not triggering any alerts based on detection rules even though Kibana is properly populating with all required data.
In my test I created a detection rule for the PowerShell command "get-mpcomputerstatus".
I ran the command multiple times and Kibana shows every single instance of the command being run, including the field that is mentioned in the detection rule. There is also an additional entry of the securityonion VM parsing the Sigma rules. Even in SecurityOnion itself the events can be seen in the Dashboards, yet no alert is ever triggered in SecurityOnion. I also tried to just trigger a couple of predefined sigma rules, also unsuccessful.
I also tried a reinstall of the elastic agent without any improvement.
Would gladly appreciate help in fixing this. Thanks in advance!
Guidelines
Beta Was this translation helpful? Give feedback.
All reactions