Creating a new Sigma detection to alert on Elastic Agent malware quarantine

[liquidsuspension]

Version

2.4.190

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Distributed

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

8

RAM

128 GB

Storage for /

300 GB

Storage for /nsm

10 TB

Network Traffic Collection

span port

Network Traffic Speeds

1Gbps to 10Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

No, there are no additional clues

Detail

I have a new install of Security Onion and I have Elastic Agent on a handful of test machines. I had a internal application get quarantined by the agent, and realized I need an alert for this to occur in SOC Alerts. I tried setting up a Sigma detection, but it fails to convert. Here's the error text:

Request failed with status code 500
See the Help section of the Security Onion documentation for additional troubleshooting guidance. 
The Hunt interface may contain additional log messages to further diagnose the issue. 

I feel like it's either syntax or I'm not pointing to the logsource correctly. Any tips?

title: Elastic Endpoint Successful File Quarantine
id: elastic-endpoint-quarantine-001
description: Detects successful file quarantine actions logged by the Elastic Endpoint agent.
status: test
author: Username
date: 2025-12-03

logsource:
  category: endpoint
  product: elastic_endpoint

detection:
  selection:
    event.dataset: elastic_agent.endpoint_security
    message|contains: 'Successfully quarantined file:'
  condition: selection

level: high
tags:
  - elastic.endpoint
  - quarantine
  - malware

Guidelines

• I have read the discussion guidelines at Read before posting! #1720 and assert that I have followed the guidelines.

[cm-ops]

It's your tags. Follow https://sigmahq.io/docs/basics/rules.html#metadata-tags for your tags and it will convert.

[liquidsuspension]

Sure enough was. Thanks! It's all good now.