Sigma rule alerts do not show

Sysmon has not been installed.
Note: If Sysmon is installed and working correctly:
  • You can use the Windows Event Viewer to view Sysmon-generated events. (You can find these in: Applications and Services Logs > Microsoft > Windows > Sysmon > Operational.)
  • You should get a message similar to this in the log file:
    … Sysmon Event Generator | Events added 45, events discarded 0, in 1715 ms
  1. Download and install Sysmon.
  2. Restart Arc to make sure that Sysmon is active.
  3. Make sure that Sigma rules is enabled in the local configuration user interface (UI).

You do not have Sigma rules enabled in the local configuration UI.

  1. Open the local configuration UI.
  2. Select Configuration.
    The Configuration page opens.
  3. Select the Sigma rules checkbox.
  4. Select Save.
  5. Check to see if Sigma rule alerts now show.
You have Sysmon installed and enabled, but you do not get a message similar to this in the log file:
… Matcher for EventID 1 | Matches found 1, in 0 ms
Note: This is not an error. It means that an event that would trigger an alert has not been detected yet.
Wait for Arc to show an alert that is based on Sigma rules.
You have Sysmon installed and enabled, but you do not get a message similar to this in the log file:
… Matcher for EventID 1 | Sending 1 alert rules 200 OK
Note: This can mean that the host was too busy to communicate.
Note: If a different result than 200 (204 on Vantage) is obtained, then the alert might have been produced, but there was a communication failure when it was sent to Guardian.
Wait for Arc to make another attempt to communicate with the host.

If none of the previous solutions work, please contact our Customer Support team.