The SIEM app is now a part of the Elastic Security solution.
Click
here to view SIEM documentation for previous releases.
Monitoring and troubleshooting rule executions
editMonitoring and troubleshooting rule executions
editTo view a summary of all rule executions, such as failures and last execution times, click the Monitoring tab in the All rules table (Security → Detections → Manage detection rules).
For detailed information on a rule, its generated alerts and errors, click on a rule name in the All rules table.
Troubleshoot missing alerts
editWhen a rule fails to run close to its scheduled time, some alerts may be missing. There are a number of steps you can perform to try and resolve this issue.
If you see Gaps
in the All rules table or on the Rule details page
for a small number of rules, you can increase those rules'
Additional look-back time
(Detection rules page → the rule’s
actions icon → Edit rule settings → Schedule → Additional look-back time).
If you see gaps for a lot of rules:
- If you restarted Kibana when many rules were activated, try deactivating them and then reactivating them in small batches at staggered intervals. This ensures Kibana does not attempt to run all the rules at the same time.
- Consider adding another Kibana instance to your environment.