-
Notifications
You must be signed in to change notification settings - Fork 70
/
Copy pathalerts-ui-monitor.html
489 lines (468 loc) · 35.8 KB
/
alerts-ui-monitor.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
<!DOCTYPE html>
<html lang="en-us">
<head>
<meta charset="UTF-8">
<title>Monitor and troubleshoot rule executions | Elastic Security Solution [8.16] | Elastic</title>
<meta class="elastic" name="content" content="Monitor and troubleshoot rule executions | Elastic Security Solution [8.16]">
<link rel="home" href="index.html" title="Elastic Security Solution [8.16]"/>
<link rel="up" href="detection-engine-overview.html" title="Detections and alerts"/>
<link rel="prev" href="rules-ui-management.html" title="Manage detection rules"/>
<link rel="next" href="detections-ui-exceptions.html" title="Rule exceptions"/>
<meta class="elastic" name="product_version" content="8.16"/>
<meta class="elastic" name="product_name" content="Security"/>
<meta class="elastic" name="website_area" content="documentation"/>
<meta name="DC.type" content="Learn/Docs/Security/Guide/8.16"/>
<meta name="DC.subject" content="Security"/>
<meta name="DC.identifier" content="8.16"/>
<meta name="robots" content="noindex,nofollow"/>
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<script src="https://cdn.optimizely.com/js/18132920325.js"></script>
<link rel="apple-touch-icon" sizes="57x57" href="/apple-icon-57x57.png">
<link rel="apple-touch-icon" sizes="60x60" href="/apple-icon-60x60.png">
<link rel="apple-touch-icon" sizes="72x72" href="/apple-icon-72x72.png">
<link rel="apple-touch-icon" sizes="76x76" href="/apple-icon-76x76.png">
<link rel="apple-touch-icon" sizes="114x114" href="/apple-icon-114x114.png">
<link rel="apple-touch-icon" sizes="120x120" href="/apple-icon-120x120.png">
<link rel="apple-touch-icon" sizes="144x144" href="/apple-icon-144x144.png">
<link rel="apple-touch-icon" sizes="152x152" href="/apple-icon-152x152.png">
<link rel="apple-touch-icon" sizes="180x180" href="/apple-icon-180x180.png">
<link rel="icon" type="image/png" href="/favicon-32x32.png" sizes="32x32">
<link rel="icon" type="image/png" href="/android-chrome-192x192.png" sizes="192x192">
<link rel="icon" type="image/png" href="/favicon-96x96.png" sizes="96x96">
<link rel="icon" type="image/png" href="/favicon-16x16.png" sizes="16x16">
<link rel="manifest" href="/manifest.json">
<meta name="apple-mobile-web-app-title" content="Elastic">
<meta name="application-name" content="Elastic">
<meta name="msapplication-TileColor" content="#ffffff">
<meta name="msapplication-TileImage" content="/mstile-144x144.png">
<meta name="theme-color" content="#ffffff">
<meta name="naver-site-verification" content="936882c1853b701b3cef3721758d80535413dbfd" />
<meta name="yandex-verification" content="d8a47e95d0972434" />
<meta name="localized" content="true" />
<meta name="st:robots" content="follow,index" />
<meta property="og:image" content="https://static-www.elastic.co/v3/assets/bltefdd0b53724fa2ce/blt280217a63b82a734/6202d3378b1f312528798412/elastic-logo.svg" />
<meta property="og:image:width" content="500" />
<meta property="og:image:height" content="172" />
<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon">
<link rel="icon" href="/favicon.ico" type="image/x-icon">
<link rel="apple-touch-icon-precomposed" sizes="64x64" href="/favicon_64x64_16bit.png">
<link rel="apple-touch-icon-precomposed" sizes="32x32" href="/favicon_32x32.png">
<link rel="apple-touch-icon-precomposed" sizes="16x16" href="/favicon_16x16.png">
<!-- Give IE8 a fighting chance -->
<!--[if lt IE 9]>
<script src="https://oss.maxcdn.com/html5shiv/3.7.2/html5shiv.min.js"></script>
<script src="https://oss.maxcdn.com/respond/1.4.2/respond.min.js"></script>
<![endif]-->
<link rel="stylesheet" type="text/css" href="/guide/static/styles-v1.css" />
</head>
<!--© 2015-2025 Elasticsearch B.V. -->
<!-- All Elastic documentation is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License. -->
<!-- http://creativecommons.org/licenses/by-nc-nd/4.0/ -->
<body>
<!-- Google Tag Manager -->
<script>dataLayer = [];</script><noscript><iframe src="//www.googletagmanager.com/ns.html?id=GTM-58RLH5" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= '//www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','dataLayer','GTM-58RLH5');</script>
<!-- End Google Tag Manager -->
<!-- Global site tag (gtag.js) - Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=UA-12395217-16"></script>
<script>
window.dataLayer = window.dataLayer || [];
function gtag(){dataLayer.push(arguments);}
gtag('js', new Date());
gtag('config', 'UA-12395217-16');
</script>
<!-- Google Tag Manager for GA4 -->
<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src='https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);})(window,document,'script','dataLayer','GTM-KNJMG2M');</script>
<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KNJMG2M" height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>
<!-- End Google Tag Manager for GA4-->
<div id='elastic-nav' style="display:none;"></div>
<script src='https://www.elastic.co/elastic-nav.js'></script>
<div class="main-container">
<section id="content" >
<div class="content-wrapper">
<section id="guide" lang="en">
<div class="container-fluid">
<div class="row pb-3">
<div class="col-12 order-2 col-md-4 order-md-1 col-lg-3 h-almost-full-md sticky-top-md" id="left_col">
<!-- The TOC is appended here -->
</div>
<div class="col-12 order-1 col-md-8 order-md-2 col-lg-7 order-lg-2 guide-section" id="middle_col">
<!-- start body -->
<div class="page_header">
<strong>IMPORTANT</strong>: No additional bug fixes or documentation updates
will be released for this version. For the latest information, see the
<a href="../current/index.html">current release documentation</a>.
</div>
<div class="navheader">
<span class="prev">
<a href="rules-ui-management.html">« Manage detection rules</a>
</span>
<span class="next">
<a href="detections-ui-exceptions.html">Rule exceptions »</a>
</span>
</div>
<div class="book" lang="en">
<div class="titlepage">
<div class="breadcrumbs">
<span class="breadcrumb-link"><a href="/guide/">Elastic Docs</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="index.html">Elastic Security Solution [8.16]</a></span>
<span class="chevron-right">›</span><span class="breadcrumb-link"><a href="detection-engine-overview.html">Detections and alerts</a></span>
</div>
<div>
<div><h1 class="title"><a id="id-1"></a>Monitor and troubleshoot rule executions</h1><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.16/docs/detections/rules-ui-monitor.asciidoc">edit</a></div>
</div>
<!--EXTRA-->
</div>
<div id="content">
<div id="url-to-v3" class="version-warning">
<strong>IMPORTANT</strong>: This documentation is no longer updated. Refer to <a href="https://www.elastic.co/support/eol">Elastic's version policy</a> and the <a href="https://www.elastic.co/docs/solutions/security/detect-and-alert/monitor-rule-executions">latest documentation</a>.
</div>
<div class="chapter">
<div class="titlepage"><div><div>
<div class="position-relative"><h2 class="title"><a id="alerts-ui-monitor"></a>Monitor and troubleshoot rule executions</h2><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.16/docs/detections/rules-ui-monitor.asciidoc">edit</a></div>
</div></div></div>
<p>Several tools can help you gain insight into the performance of your detection rules:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a class="xref" href="alerts-ui-monitor.html#rule-monitoring-tab" title="Rule Monitoring tab">Rule Monitoring tab</a> — The current state of all detection rules and their most recent executions. Go to the <span class="strong strong"><strong>Rule Monitoring</strong></span> tab to get an overview of which rules are running, how long they’re taking, and if they’re having any trouble.
</li>
<li class="listitem">
<a class="xref" href="alerts-ui-monitor.html#rule-execution-logs" title="Execution results">Execution results</a> — Historical data for a single detection rule’s executions over time. Consult the execution results to understand how a particular rule is running and whether it’s creating the alerts you expect.
</li>
<li class="listitem">
<a class="xref" href="rule-monitoring-dashboard.html" title="Detection rule monitoring dashboard">Detection rule monitoring dashboard</a> — Visualizations to help you monitor the overall health and performance of Elastic Security’s detection rules. Consult this dashboard for a high-level view of whether your rules are running successfully and how long they’re taking to run, search data, and create alerts.
</li>
</ul>
</div>
<p>Refer to the <a class="xref" href="alerts-ui-monitor.html#troubleshoot-signals" title="Troubleshoot missing alerts">Troubleshoot missing alerts</a> section below for strategies on adjusting rules if they aren’t creating the expected alerts.</p>
<div class="position-relative"><h3><a id="rule-monitoring-tab"></a>Rule Monitoring tab</h3><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.16/docs/detections/rules-ui-monitor.asciidoc">edit</a></div>
<p>To view a summary of all rule executions, including the most recent failures and execution
times, select the <span class="strong strong"><strong>Rule Monitoring</strong></span> tab on the <span class="strong strong"><strong>Rules</strong></span> page. To access the tab, find <span class="strong strong"><strong>Detection rules (SIEM)</strong></span> in the navigation menu or look for “Detection rules (SIEM)” using the <a href="/guide/en/kibana/8.16/introduction.html#kibana-navigation-search" class="ulink" target="_top">global search field</a>, then go to the <span class="strong strong"><strong>Rule Monitoring</strong></span> tab.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/monitor-table.png" alt="monitor table">
</div>
</div>
<p>On the <span class="strong strong"><strong>Rule Monitoring</strong></span> tab, you can <a class="xref" href="rules-ui-management.html#sort-filter-rules" title="Sort and filter the rules list">sort and filter rules</a> just like you can on the <span class="strong strong"><strong>Installed Rules</strong></span> tab.</p>
<div class="tip admon">
<div class="icon"></div>
<div class="admon_content">
<p>To sort the rules list, click any column header. To sort in descending order, click the column header again.</p>
</div>
</div>
<p>For detailed information on a rule, the alerts it generated, and associated errors, click on its name in the table. This also allows you to perform the same actions that are available on the <a class="xref" href="rules-ui-management.html" title="Manage detection rules"><span class="strong strong"><strong>Installed Rules</strong></span> tab</a>, such as modifying or deleting rules, activating or deactivating rules, exporting or importing rules, and duplicating prebuilt rules.</p>
<div class="position-relative"><h3><a id="rule-execution-logs"></a>Execution results</h3><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.16/docs/detections/rules-ui-monitor.asciidoc">edit</a></div>
<p>Each detection rule execution is logged, including the execution type, the execution’s success or failure, any warning or error messages, how long it took to search for data, create alerts, and complete. This can help you troubleshoot a particular rule if it isn’t behaving as expected (for example, if it isn’t creating alerts or takes a long time to run).</p>
<p>To access a rule’s execution log, click the rule’s name to open its details, then scroll down and select the <span class="strong strong"><strong>Execution results</strong></span> tab. Within the Execution log table, you can click the arrow at the end of a row to expand a long warning or error message.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/rule-execution-logs.png" alt="Execution log table on the rule execution results tab">
</div>
</div>
<p>You can hover over each column heading to display a tooltip about that column’s data. Click a column heading to sort the table by that column.</p>
<p>Use these controls to filter what’s included in the logs table:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>The <span class="strong strong"><strong>Run type</strong></span> drop-down filters the table by rule execution type:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<span class="strong strong"><strong>Scheduled</strong></span>: Automatic, scheduled rule executions.
</li>
<li class="listitem">
<span class="strong strong"><strong>Manual</strong></span>: Rule executions that were <a class="xref" href="rules-ui-management.html#manually-run-rules" title="Run rules manually">started manually</a>.
</li>
</ul>
</div>
</li>
<li class="listitem">
<p>The <span class="strong strong"><strong>Status</strong></span> drop-down filters the table by rule execution status:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<span class="strong strong"><strong>Succeeded</strong></span>: The rule completed its defined search. This doesn’t necessarily mean it generated an alert, just that it ran without error.
</li>
<li class="listitem">
<span class="strong strong"><strong>Failed</strong></span>: The rule encountered an error that prevented it from running. For example, a machine learning rule whose corresponding machine learning job wasn’t running.
</li>
<li class="listitem">
<span class="strong strong"><strong>Warning</strong></span>: Nothing prevented the rule from running, but it might have returned unexpected results. For example, a custom query rule tried to search an index pattern that couldn’t be found in Elasticsearch.
</li>
</ul>
</div>
</li>
<li class="listitem">
The date and time picker sets the time range of rule executions included in the table. This is separate from the global date and time picker at the top of the rule details page.
</li>
<li class="listitem">
The <span class="strong strong"><strong>Source event time range</strong></span> button toggles the display of data pertaining to the time range of manual runs.
</li>
<li class="listitem">
The <span class="strong strong"><strong>Show metrics columns</strong></span> toggle includes more or less data in the table, pertaining to the timing of each rule execution.
</li>
<li class="listitem">
The <span class="strong strong"><strong>Actions</strong></span> column allows you to show alerts generated from a given rule execution. Click the filter icon (<span class="image"><img src="images/filter-icon.png" alt="Filter icon" width="18" height="17"></span>) to create a global search filter based on the rule execution’s ID value. This replaces any previously applied filters, changes the global date and time range to 24 hours before and after the rule execution, and displays a confirmation notification. You can revert this action by clicking <span class="strong strong"><strong>Restore previous filters</strong></span> in the notification.
</li>
</ul>
</div>
<div class="position-relative"><h4><a id="manual-runs-table"></a>Manual runs table</h4><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.16/docs/detections/rules-ui-monitor.asciidoc">edit</a></div>
<div class="warning admon">
<div class="icon"></div>
<div class="admon_content">
<p>This functionality is in beta and is subject to change. The design and code is less mature than official GA features and is being provided as-is with no warranties. Beta features are not subject to the support SLA of official GA features.</p>
</div>
</div>
<p>Each manual run can produce multiple rule executions, depending on the time range of the run and the rule’s execution schedule. These details are shown in the Manual runs table.</p>
<p>To access the table, navigate to the detection rules page, click the rule’s name to open its details, then scroll down and select the <span class="strong strong"><strong>Execution results</strong></span> tab. Scroll down again to find the Manual runs table.</p>
<p>To stop an active run, go to the appropriate row and click <span class="strong strong"><strong>Stop run</strong></span> in the <span class="strong strong"><strong>Actions</strong></span> column. Completed rule executions for each manual run are logged in the Execution log table.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/manual-rule-run-table.png" alt="Manual rule runs table on the rule execution results tab">
</div>
</div>
<p>The Manual runs table displays important details such as:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<p>The status of each manual run:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<span class="strong strong"><strong>Pending</strong></span>: The rule is not yet running.
</li>
<li class="listitem">
<span class="strong strong"><strong>Running</strong></span>: The rule is executing during the time range you specified. Some rules, such as indicator match rules, can take longer to run.
</li>
<li class="listitem">
<span class="strong strong"><strong>Error</strong></span>: The rule’s configuration is preventing it from running correctly. For example, the rule’s conditions cannot be validated.
</li>
</ul>
</div>
</li>
<li class="listitem">
When a manual run started and the time in which it will run
</li>
<li class="listitem">
The number of rule executions that are failing, pending, running, and completed for a manual run
</li>
<li class="listitem">
The total number of rule executions that are occurring for a manual run
</li>
</ul>
</div>
<div class="position-relative"><h3><a id="troubleshoot-signals"></a>Troubleshoot missing alerts</h3><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.16/docs/detections/rules-ui-monitor.asciidoc">edit</a></div>
<p>When a rule fails to run close to its scheduled time, some alerts may be
missing. There are a number of ways to try to resolve this issue:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a class="xref" href="alerts-ui-monitor.html#troubleshoot-gaps" title="Troubleshoot gaps">Troubleshoot gaps</a>
</li>
<li class="listitem">
<a class="xref" href="alerts-ui-monitor.html#troubleshoot-ingestion-pipeline-delay" title="Troubleshoot ingestion pipeline delay">Troubleshoot ingestion pipeline delay</a>
</li>
<li class="listitem">
<a class="xref" href="alerts-ui-monitor.html#ml-job-compatibility" title="Troubleshoot missing alerts for machine learning jobs">Troubleshoot missing alerts for machine learning jobs</a>
</li>
</ul>
</div>
<p>You can also use Task Manager in Kibana to troubleshoot background tasks and processes that may be related to missing alerts:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a href="/guide/en/kibana/8.16/task-manager-health-monitoring.html" class="ulink" target="_top">Task Manager health monitoring</a>
</li>
<li class="listitem">
<a href="/guide/en/kibana/8.16/task-manager-troubleshooting.html" class="ulink" target="_top">Task Manager troubleshooting</a>
</li>
</ul>
</div>
<div class="position-relative"><h4><a id="troubleshoot-max-alerts"></a>Troubleshoot maximum alerts warning</h4><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.16/docs/detections/rules-ui-monitor.asciidoc">edit</a></div>
<p>When a rule reaches the maximum number of alerts it can generate during a single rule execution, the following warning appears on the rule’s details page and in the rule execution log: <code class="literal">This rule reached the maximum alert limit for the rule execution. Some alerts were not created.</code></p>
<p>If you receive this warning, go to the rule’s <span class="strong strong"><strong>Alerts</strong></span> tab and check for anything unexpected. Unexpected alerts might be created from data source issues or queries that are too broadly scoped. To further reduce alert volume, you can also add <a class="xref" href="add-exceptions.html" title="Add and manage exceptions">rule exceptions</a> or <a class="xref" href="alert-suppression.html" title="Suppress detection alerts">suppress alerts</a>.</p>
<div class="position-relative"><h4><a id="troubleshoot-gaps"></a>Troubleshoot gaps</h4><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.16/docs/detections/rules-ui-monitor.asciidoc">edit</a></div>
<p>If you see values in the Gaps column in the Rule Monitoring table or on the Rule details page
for a small number of rules, you can edit those rules and increase their additional look-back time.</p>
<p>It’s recommended to set the <code class="literal">Additional look-back time</code> to at
least 1 minute. This ensures there are no missing alerts when a rule doesn’t
run exactly at its scheduled time.</p>
<p>Elastic Security prevents duplication. Any duplicate alerts that are discovered during the
<code class="literal">Additional look-back time</code> are <em>not</em> created.</p>
<div class="note admon">
<div class="icon"></div>
<div class="admon_content">
<p>If the rule that experiences gaps is an indicator match rule, see <a class="xref" href="tuning-detection-signals.html#tune-indicator-rules" title="Tune indicator match rules">how to tune indicator match rules</a>. Also please note that Elastic Security provides <a class="xref" href="detection-engine-overview.html#support-indicator-rules" title="Limited support for indicator match rules">limited support for indicator match rules</a>.</p>
</div>
</div>
<p>If you see gaps for numerous rules:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
If you restarted Kibana when many rules were activated, try deactivating them
and then reactivating them in small batches at staggered intervals. This
ensures Kibana does not attempt to run all the rules at the same time.
</li>
<li class="listitem">
Consider adding another Kibana instance to your environment.
</li>
</ul>
</div>
<div class="position-relative"><h4><a id="troubleshoot-ingestion-pipeline-delay"></a>Troubleshoot ingestion pipeline delay</h4><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.16/docs/detections/rules-ui-monitor.asciidoc">edit</a></div>
<p>Even if your rule runs at its scheduled time, there might still be missing alerts if your ingestion pipeline delay is greater than your rule interval + additional look-back time. Prebuilt rules have a minimum interval + additional look-back time of 6 minutes in Elastic Stack version >=7.11.0. To avoid missed alerts for prebuilt rules, use caution to ensure that ingestion pipeline delays remain below 6 minutes.</p>
<p>In addition, use caution when creating custom rule schedules to ensure that the specified interval + additional look-back time is greater than your deployment’s ingestion pipeline delay.</p>
<p>You can reduce the number of missed alerts due to ingestion pipeline delay by specifying the <code class="literal">Timestamp override</code> field value to <code class="literal">event.ingested</code> in <a class="xref" href="rules-ui-create.html#rule-ui-advanced-params" title="Configure advanced rule settings (optional)">advanced settings</a> during rule creation or editing. The detection engine uses the value from the <code class="literal">event.ingested</code> field as the timestamp when executing the rule.</p>
<p>For example, say an event occurred at 10:00 but wasn’t ingested into Elasticsearch until 10:10 due to an ingestion pipeline delay. If you created a rule to detect that event with an interval + additional look-back time of 6 minutes, and the rule executes at 10:12, it would still detect the event because the <code class="literal">event.ingested</code> timestamp was from 10:10, only 2 minutes before the rule executed and well within the rule’s 6-minute interval + additional look-back time.</p>
<div class="imageblock screenshot">
<div class="content">
<img src="images/timestamp-override.png" alt="timestamp override">
</div>
</div>
<div class="position-relative"><h4><a id="ml-job-compatibility"></a>Troubleshoot missing alerts for machine learning jobs</h4><a class="edit_me edit_me_private" rel="nofollow" title="Editing on GitHub is available to Elastic" href="https://github.com/elastic/security-docs/edit/8.16/docs/detections/rules-ui-monitor.asciidoc">edit</a></div>
<p>Machine learning detection rules use machine learning jobs that have dependencies on data fields populated by the Beats and Elastic Agent integrations. In Elastic Stack version 8.3, new machine learning jobs (prefixed with <code class="literal">v3</code>) were released to operate on the ECS fields available at that time.</p>
<p>If you’re using 8.2 or earlier versions of Beats or Elastic Agent with Elastic Stack version 8.3 or later, you may need to duplicate prebuilt rules or create new custom rules <em>before</em> you update the Elastic prebuilt rules. Once you update the prebuilt rules, they will only use <code class="literal">v3</code> machine learning jobs. Duplicating the relevant prebuilt rules before updating them ensures continued coverage by allowing you to keep using <code class="literal">v1</code> or <code class="literal">v2</code> jobs (in the duplicated rules) while also running the new <code class="literal">v3</code> jobs (in the updated prebuilt rules).</p>
<div class="important admon">
<div class="icon"></div>
<div class="admon_content">
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
Duplicated rules may result in duplicate anomaly detections and alerts.
</li>
<li class="listitem">
Ensure that the relevant <code class="literal">v3</code> machine learning jobs are running before you update the Elastic prebuilt rules.
</li>
</ul>
</div>
</div>
</div>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
If you only have <span class="strong strong"><strong>8.3 or later versions of Beats and Elastic Agent</strong></span>: You can download or update your prebuilt rules and use the latest <code class="literal">v3</code> machine learning jobs. No additional action is required.
</li>
<li class="listitem">
If you only have <span class="strong strong"><strong>8.2 or earlier versions of Beats or Elastic Agent</strong></span>, or <span class="strong strong"><strong>a mix of old and new versions</strong></span>: To continue using the <code class="literal">v1</code> and <code class="literal">v2</code> machine learning jobs specified by pre-8.3 prebuilt detection rules, you must duplicate affected prebuilt rules <em>before</em> updating them to the latest rule versions. The duplicated rules can continue using the same <code class="literal">v1</code> and <code class="literal">v2</code> machine learning jobs, and the updated prebuilt machine learning rules will use the new <code class="literal">v3</code> machine learning jobs.
</li>
<li class="listitem">
If you have <span class="strong strong"><strong>a non-Elastic data shipper that gathers ECS-compatible events</strong></span>: You can use the latest <code class="literal">v3</code> machine learning jobs with no additional action required, as long as your data shipper uses the latest ECS specifications. However, if you’re migrating from machine learning rules using <code class="literal">v1</code>/<code class="literal">v2</code> jobs, ensure that you start the relevant <code class="literal">v3</code> jobs before updating the Elastic prebuilt rules.
</li>
</ul>
</div>
<p>The following Elastic prebuilt rules use the new <code class="literal">v3</code> machine learning jobs to generate alerts. Duplicate their associated <code class="literal">v1</code>/<code class="literal">v2</code> prebuilt rules <em>before</em> updating them if you need continued coverage from the <code class="literal">v1</code>/<code class="literal">v2</code> machine learning jobs:</p>
<div class="ulist itemizedlist">
<ul class="itemizedlist">
<li class="listitem">
<a class="xref" href="unusual-linux-network-port-activity.html" title="Unusual Linux Network Port Activity">Unusual Linux Network Port Activity</a>: <code class="literal">v3_linux_anomalous_network_port_activity</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-linux-network-connection-discovery.html" title="Unusual Linux Network Connection Discovery">Unusual Linux Network Connection Discovery</a>: <code class="literal">v3_linux_anomalous_network_connection_discovery</code>
</li>
<li class="listitem">
<a class="xref" href="anomalous-process-for-a-linux-population.html" title="Anomalous Process For a Linux Population">Anomalous Process For a Linux Population</a>: <code class="literal">v3_linux_anomalous_process_all_hosts</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-linux-username.html" title="Unusual Linux Username">Unusual Linux Username</a>: <code class="literal">v3_linux_anomalous_user_name</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-linux-process-calling-the-metadata-service.html" title="Unusual Linux Process Calling the Metadata Service">Unusual Linux Process Calling the Metadata Service</a>: <code class="literal">v3_linux_rare_metadata_process</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-linux-user-calling-the-metadata-service.html" title="Unusual Linux User Calling the Metadata Service">Unusual Linux User Calling the Metadata Service</a>: <code class="literal">v3_linux_rare_metadata_user</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-process-for-a-linux-host.html" title="Unusual Process For a Linux Host">Unusual Process For a Linux Host</a>: <code class="literal">v3_rare_process_by_host_linux</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-process-for-a-windows-host.html" title="Unusual Process For a Windows Host">Unusual Process For a Windows Host</a>: <code class="literal">v3_rare_process_by_host_windows</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-windows-network-activity.html" title="Unusual Windows Network Activity">Unusual Windows Network Activity</a>: <code class="literal">v3_windows_anomalous_network_activity</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-windows-path-activity.html" title="Unusual Windows Path Activity">Unusual Windows Path Activity</a>: <code class="literal">v3_windows_anomalous_path_activity</code>
</li>
<li class="listitem">
<a class="xref" href="anomalous-windows-process-creation.html" title="Anomalous Windows Process Creation">Anomalous Windows Process Creation</a>: <code class="literal">v3_windows_anomalous_process_creation</code>
</li>
<li class="listitem">
<a class="xref" href="anomalous-process-for-a-windows-population.html" title="Anomalous Process For a Windows Population">Anomalous Process For a Windows Population</a>: <code class="literal">v3_windows_anomalous_process_all_hosts</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-windows-username.html" title="Unusual Windows Username">Unusual Windows Username</a>: <code class="literal">v3_windows_anomalous_user_name</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-windows-process-calling-the-metadata-service.html" title="Unusual Windows Process Calling the Metadata Service">Unusual Windows Process Calling the Metadata Service</a>: <code class="literal">v3_windows_rare_metadata_process</code>
</li>
<li class="listitem">
<a class="xref" href="unusual-windows-user-calling-the-metadata-service.html" title="Unusual Windows User Calling the Metadata Service">Unusual Windows User Calling the Metadata Service</a>: <code class="literal">v3_windows_rare_metadata_user</code>
</li>
</ul>
</div>
</div>
</div>
</div><div class="navfooter">
<span class="prev">
<a href="rules-ui-management.html">« Manage detection rules</a>
</span>
<span class="next">
<a href="detections-ui-exceptions.html">Rule exceptions »</a>
</span>
</div>
<!-- end body -->
</div>
<div class="col-12 order-3 col-lg-2 order-lg-3 h-almost-full-lg sticky-top-lg" id="right_col">
<div id="sticky_content">
<!-- The OTP is appended here -->
<div class="row">
<div class="col-0 col-md-4 col-lg-0" id="bottom_left_col"></div>
<div class="col-12 col-md-8 col-lg-12">
<div id="rtpcontainer">
<div class="mktg-promo" id="most-popular">
<p class="aside-heading">Most Popular</p>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/getting-started-elasticsearch?page=docs&placement=top-video">
<p class="mb-0">Get Started with Elasticsearch</p>
</a>
</div>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/getting-started-kibana?page=docs&placement=top-video">
<p class="mb-0">Intro to Kibana</p>
</a>
</div>
<div class="pb-2">
<p class="media-type">Video</p>
<a href="https://www.elastic.co/webinars/introduction-elk-stack?page=docs&placement=top-video">
<p class="mb-0">ELK for Logs & Metrics</p>
</a>
</div>
</div>
</div>
<!-- Feedback widget -->
<div id="feedbackWidgetContainer"></div>
</div>
</div>
</div>
</div>
</div>
</div>
</section>
</div>
<div id='elastic-footer'></div>
<script src='https://www.elastic.co/elastic-footer.js'></script>
<!-- Footer Section end-->
</section>
</div>
<!-- Feedback modal -->
<div id="feedbackModalContainer"></div>
<script src="/guide/static/jquery.js"></script>
<script type="text/javascript" src="/guide/static/docs-v1.js"></script>
<script type="text/javascript">
window.initial_state = {}</script>
</body>
</html>