Troubleshooting

Dashboard Not Loading

1. Check your browser’s console for JavaScript errors.

2. Verify your user has permissions for SIEM dashboards.

3. Try refreshing the page or clearing browser cache.

4. Check if the time range is too large — reduce to last 24 hours.

No Data Showing

1. Verify Endpoint Security agents are connected and reporting — check agent status in the SIEM Overview dashboard.

2. Confirm the selected time range includes the period when events occurred.

3. Check if filters are too restrictive.

4. Verify your user role has access to the relevant data sources.

Alerts Not Triggering

Alerts Not Firing

Diagnostic steps:

1. Check rule syntax - Verify YAML rule definition syntax.

2. Test with smaller dataset - Use Discover to test query logic.

3. Verify index patterns - Ensure data exists in specified indices.

4. Check time ranges - Confirm events fall within detection window.

5. Review logs - Check ELS logs for processing errors.

High False Positive Rate

Solutions:

1. Tune alert thresholds - Increase event counts or severity levels.

2. Add exclusions - Filter out known good activities.

3. Refine time windows - Adjust detection time frames.

4. Use risk scoring - Focus on high-risk events only.

Performance Issues

1. Reduce dashboard time ranges to improve loading speed.

2. Use filters to limit data volume.

3. Close unused dashboard tabs.

4. Contact administrator if cluster performance is degraded.