No Alerts are getting generated for custom rule

SKP · August 21, 2024, 4:32pm

Hi ,
I have created a a detector with acustom rule. But i am unable to get the alerts.
Note:
when i run a GET query for “priority”: “Warning” i am also able to get the results.
I am also able to get the latest logs in Discover. But the alerts are not getting triggered.
Both Detector and Rule are enabled.
Please help, on what is wrong in below custom rule so that i can get the alerts?

id: q6qWa5EB1bdpHijd0ac7
logsource:
product: xxxxx-logs
title: Warning Priority Alert
description: Triggers an alert when the priority in Falco logs is “Warning”.
tags:
falsepositives:
level: high
status: experimental
references:
author: sourav
detection:
condition: Selection_1
Selection_1:
query:
- |
priority: “Warning”
timeframe: 5m
threshold:
value: 1

system · October 20, 2024, 4:33pm

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Can't view any alerts or findings ( Security Analytics ) Security Analytics	1	67	October 6, 2024
Detectors with custom rules are not producing any findings or alerts Security Analytics	1	423	May 29, 2023
Not showing findings or alerts Security Analytics troubleshoot , index-management	1	195	August 6, 2024
How to make security Analytics Rule Detection Security Analytics configure	4	656	August 12, 2023
Custom decoders and rules - Alert not shown Index Management troubleshoot , configure , index-management	1	40	April 7, 2025

No Alerts are getting generated for custom rule

Related topics