I activate all rules in Kibana. But some of rules are in failed status. When I open the rule this error shown:
An error occurred during rule execution: message: "linux_anomalous_network_port_activity_ecs,v2_linux_anomalous_network_port_activity_ecs missing" name: "Unusual Linux Network Port Activity" id: "864e1b5b-a0e7-11ef-b29b-e1d86193c47a" rule id: "3c7e32e6-6104-46d9-a06e-da0f8b5795a0" signals index: ".siem-signals-default"
First I take a look at rule query and copy it to Discovery and I have some results. But there is no alarms in rules.
Second I clear cache of ".siem-signals-default" index and refresh it. No change.
After that I duplicate the rule and modify the rule with indexes I need, same query and schedule, new rule show the same error.
Anyone can help me in this situation?
I use
ELK 7.17.25
Ubuntu 20.04
ML activate with no job.
I solve the problem, but I don't know why this happened.
".siem-signals-default" Refresh or clear cache of this index is not enough to solve the problem. I need to Flush the index. and set the Indicator index query to @timestamp >= "now-1h" or a time after flushing the index.
But why is this happening.