Created new index pattern, alerts now not coming from new pattern #1399
-
|
Previously my Sysmon logs were just grouped in my winlogbeat-* pattern, however I decided to isolate them into their own sysmon-* pattern. Upon creating this new pattern (as well as changing my ElastAlert2 rules corresponding to Sysmon logs to now look at the sysmon-* pattern instead of the winlogbeat-* pattern) I noticed they are not getting any hits at all. I am wondering what the reason could be? I changed the settings of the sysmon-* template to match the winlogbeat-* template, but not the mappings since it seemed much more cumbersome if that could be related to the issue. |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment
-
|
Fixed it by cloning the winlogbeat template In index templates into a new sysmon template. |
Beta Was this translation helpful? Give feedback.
Fixed it by cloning the winlogbeat template In index templates into a new sysmon template.