IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs SIEM Guide [7.6] Detections (Beta)
« Detections (Beta) Detections API »

Managing signal detection rulesedit

This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.

Rules run periodically and search the specified indices for documents that meet their criteria.

After you activate a rule, periodically check the rule is running as expected. When a rule fails to run, the SIEM app tries to rerun it at its next scheduled run time and an error is displayed in the Failure History table on the Rule details page (SIEMDetectionsManage signal detection rules → <rule name>).

If you see a gaps of <x> minutes, and could be missing signals within that time error message, see Troubleshoot missing signals.

On the Rules page, you can:

all rules

Load prebuilt Elastic rulesedit

To load the SIEM app’s prebuilt rules, click Load Elastic prebuilt rules on the Signal detection rules page (SIEMDetectionsManage signal detection rules).

If you delete any of the prebuilt rules, a button appears that enables reloading all the deleted prebuilt rules.

By default, prebuilt rules are not activated. If you want to modify a prebuilt rule, you must first duplicate it and then make your changes to the duplicated rule. Filter out uncommon application signals provides a detailed example of duplicating and modifying a rule.

All Elastic prebuilt rules are tagged with the word Elastic.

Select and duplicate all prebuilt rulesedit

  1. Select the Elastic rules tab.
  2. Scroll to the bottom of the page.
  3. Click the Rows per page menu, and then select 200 rows.
  4. When the page reloads, select all the rules.
  5. Click Bulk actionsDuplicate selected.
  6. Select the Custom rules tab.

You can then modify the duplicated rules and, if required, delete the prebuilt ones.

Create a new ruleedit

  1. Go to SIEMDetectionsManage signal detection rules.

  2. Click Create new rule.

    The Create new rule page is displayed.

    create new rule
  3. Define which Elasticsearch indices the rule analyzes for signals.

  4. Use the filter and query fields to create the criteria used for detecting signals.

    You can use Kibana saved queries (save icon) and queries from saved timelines (Import query from saved timeline) as rule conditions.

    For example, the following rule detects when the vssadmin delete shadows Windows command is executed:

    • Index patterns: winlogbeat-*

      Winlogbeat ships Windows event logs to the SIEM app.

    • Custom query: event.action:"Process Create (rule: ProcessCreate)" and process.name:"vssadmin.exe" and process.args:("delete" and "shadows")

      Searches the winlogbeat-* indices for vssadmin.exe executions with the delete and shadow arguments, which are used to delete a volume’s shadow copies.

      rule query example

      This example is based on the Volume Shadow Copy Deletion via VssAdmin prebuilt rule.

  5. Click Continue.

    The About rule pane is displayed.

    about rule pane

  6. Fill in the following fields:

    1. Name: The rule’s name.
    2. Description: A description of what the rule does.

    3. Severity: Select the severity levels of signals created by the rule:

      • Low: Signals that are of interest but generally not considered to be security incidents. Sometimes, a combination of low severity events can indicate suspicious activity.
      • Medium: Signals that require investigation.
      • High: Signals that require an immediate investigation.
      • Critical: Signals that indicate it is highly likely a security incident has occurred.

    4. Risk score: A numerical value between 0 and 100 that correlates with the Severity level. General guidelines are:

      • 0 - 21 represents low severity.
      • 22 - 47 represents medium severity.
      • 48 - 73 represents high severity.
      • 74 - 100 represents critical severity.

    5. For additional options, click Advanced settings and fill in any of these fields:

      1. Timeline template (optional): Select a timeline template used when you send a signal created by the rule to the timeline.

        Before you create rules, create and save relevant timelines so they can be selected here. When signals generated by the rule are investigated in Timeline, some query field values are replaced with their corresponding signal field values.

      2. Reference URLs (optional): References to information that is relevant to the rule. For example, links to relevant background information.
      3. False positives (optional): List of common scenarios that may produce false-positive signals.
      4. MITRE ATT&CKTM (optional): Relevant MITRE framework tactics and techniques.
      5. Tags (optional): Words and phrases used to categorize, filter, and search the rule.

  7. Click Continue.

    The Schedule rule pane is displayed.

    schedule rule
  8. Select how often the rule runs.

  9. Optionally, add Additional look-back time to the rule. When defined, the rule searches indices with the additional time.

    For example, if you set a rule to run every 5 minutes with an additional look-back time of 1 minute, the rule runs every 5 minutes but analyses the documents added to indices during the last 6 minutes.

    It is recommended to set the Additional look-back time to at least 1 minute. This ensures there are no missing signals when a rule does not run exactly at its scheduled time.

    The SIEM app performs deduplication. Duplicate signals discovered during the Additional look-back time are not created.

  10. Save the rule with or without activation.

    When you activate a rule, it is queued and its schedule is determined by its initial run time. For example, if you activate a rule that runs every 5 minutes at 14:03 but it does not run until 14:04, it will run again at 14:09.

Modify existing rulesedit

You can clone, edit, activate, deactivate, and delete rules:

  1. Go to SIEMDetectionsManage signal detection rules.

  2. Do one of the following:

    • Click the actions icon (three dots) and then select the required action.
    • In the Rule column, select all the rules you want to act on, and then the required action from the Batch actions menu.
  3. To activate or deactivate a rule, click the Activate toggle button.

Import and export rulesedit

  1. Go to SIEMDetectionsManage signal detection rules.

  2. To import rules:

    1. Click Import rule.

    2. Drag-and-drop files containing the signal detection rules.

      Imported rules must be in a ndjson file.

  3. To export rules:

    1. In the All rules table, select the rules you want to export.

    2. Select Batch actionsExport selected.

      You cannot export prebuilt rules.

Troubleshoot missing signalsedit

When a rule fails to run close to its scheduled time, some signals may be missing. There are a number of steps you can perform to try and resolve this issue.

If you see gaps of <x> minutes error messages for a small number of rules, you can increase those rules' Additional look-back time (Signal detection rules page → the rule’s actions icon → Edit rule settingsScheduleAdditional look-back time).

If you see gaps of <x> minutes for a lot of rules:

  • If you restarted Kibana when many rules were activated, try deactivating them and then reactivating them in small batches at staggered intervals. This ensures Kibana does not attempt to run all the rules at the same time.
  • Consider adding another Kibana instance to your environment.
« Detections (Beta) Detections API »