Endpoint Security (Elastic Defend) - no index matching: ["logs-endpoint.alerts-*"] was found #14456

presianbg · 2025-03-26T16:46:59Z

presianbg
Mar 26, 2025

Version

2.4.140

Installation Method

Security Onion ISO image

Description

other (please provide detail below)

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

42

RAM

128

Storage for /

300GB

Storage for /nsm

1TB

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

Guidelines

I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

Hi,

Version
2.4.140
Distributed setup: 1 Manager, 1 Search, 1 Forward nodes

I'm testing the Elastic Endpoint and found that no alerts are being generated from it.
I have this warning in Kibana -> Security -> Detection rules (SIEM) -> Installed Rules -> Endpoint Security (Elastic Defend):

Output of so-elasticsearch-pipelines-list | grep endpoint | grep alert shows :

"logs-endpoint.alerts-8.17.0",

Any ideas what's wrong with my setup? Are those rules even supposed to be utilized by the Security Onion ?

Best Regards,
Presian

Answered by presianbg

Mar 27, 2025

Figure it out... this rule is for alerting upon malware detection.
The default Elastic Defend integration setting is off, so turning it on and dropping a malware on the host is creating the missing index and alert is being triggered:

So the next missing piece is how to make it appear as an alert in SOC dashboard:

~~Any ideas ?~~
Looks like a custom sigma rule in Detections is the only path forward:

View full answer

presianbg · 2025-03-27T14:34:30Z

presianbg
Mar 27, 2025
Author

Figure it out... this rule is for alerting upon malware detection.
The default Elastic Defend integration setting is off, so turning it on and dropping a malware on the host is creating the missing index and alert is being triggered:

So the next missing piece is how to make it appear as an alert in SOC dashboard:

~~Any ideas ?~~
Looks like a custom sigma rule in Detections is the only path forward:

0 replies

defensivedepth · 2025-03-28T11:28:19Z

defensivedepth
Mar 28, 2025
Maintainer

@presianbg We currently map antivirus Sigma rules to Windows Defender: https://github.com/Security-Onion-Solutions/securityonion/blob/2.4/main/salt/soc/files/soc/sigma_so_pipeline.yaml#L30

I have created an issue to track this - possibly we can automagically swap that mapping to Elastic Defend if we see the malware detection feature switched on.

#14468

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Endpoint Security (Elastic Defend) - no index matching: ["logs-endpoint.alerts-*"] was found #14456

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 2 comments

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Endpoint Security (Elastic Defend) - no index matching: ["logs-endpoint.alerts-*"] was found #14456

Uh oh!

Uh oh!

presianbg Mar 26, 2025

Version

Installation Method

Description

Installation Type

Location

Hardware Specs

CPU

RAM

Storage for /

Storage for /nsm

Network Traffic Collection

Network Traffic Speeds

Status

Salt Status

Logs

Detail

Guidelines

Replies: 2 comments

Uh oh!

Uh oh!

presianbg Mar 27, 2025 Author

Uh oh!

defensivedepth Mar 28, 2025 Maintainer

presianbg
Mar 26, 2025

presianbg
Mar 27, 2025
Author

defensivedepth
Mar 28, 2025
Maintainer