Windows logs in Alerts

[redla1N]

Hi guys!
After your last help I managed to get events from Domain Controller.
Now I want to apply aggregation.
Please tell me how to see all the events that come to me in SO in Alerts?

In kibana and hunt I have a lot of events, but in Alerts not a single one on Windows.

How to make all Windows events in Alerts?

[reyesj2]

Can you explain a bit more what you mean? If you want to generate alerts for your windows event data you will need to enable or create sigma rules https://docs.securityonion.net/en/2.4/sigma.html

[redla1N]

My Sigma rules enabled or do I need to turn it on somewhere else?

And my elastalert always in status: sync failed. Im told about that in #14727

[cm-ops]

Try reverting that all setting to the default by hitting the blue circle.

[redla1N]

Yes. In Hunt im have alerts.
But i cant deny alerts, becouse in dashboards no one event from Windows, only suricata.

And in Detections Fail. ElasterAlert:sSyncFailed

I need deny my alerts, but i cant do it

[cm-ops]

You have no sigma rules loaded, just 2 custom ones. If you do not have overrides configured try the following:

Remove the so-detection and so-detectionhistory indices
Restart SOC with sudo so-soc-restart
Wait for the rules to download and sync