I have an elastic environment with two agents enrolled on the fleet server. One Agent is my local machine, the other agent is a windows client from azure pipeline. The goal is to run the azure pipeline, run the atomic red team test (T1055.012) and trigger the alert in elastic. When I run the atomic test from my local machine, the alerts are triggered like expected. However, when i do the exact same thing on the windows client on the azure pipeline, the alert is not triggered. This is the pipeline:
trigger:
- main # Manual trigger required
pool:
vmImage: 'windows-latest'
parameters:
- name: VPN_USERNAME
displayName: "VPN Username"
type: string
default: ""
- name: VPN_PASSWORD
displayName: "VPN Password"
type: string
default: ""
variables:
VPN_SERVER: (redacted)
PING_SERVER: (redacted)
ELASTIC_URL: (redacted)
ENROLLMENT_TOKEN: (redacted)
KIBANA_URL: (redacted)
KIBANA_API_KEY: (redacted)
TestID: "T1055.012"
# Map parameters to variables
VPN_USERNAME: ${{ parameters.VPN_USERNAME }}
VPN_PASSWORD: ${{ parameters.VPN_PASSWORD }}
stages:
- stage: Setup_And_Enroll
displayName: "Set up VPN and Enroll Client"
jobs:
- job: InstallAndConnectVPN
displayName: 'Install Cisco AnyConnect and Connect to VPN'
steps:
(Connect to VPN, redacted)
- powershell: |
# Download and Install Elastic Agent as Administrator
$ProgressPreference = 'SilentlyContinue'
Write-Host "Downloading Elastic Agent..."
Invoke-WebRequest -Uri .16.2-windows-x86_64.zip -OutFile elastic-agent-8.16.2-windows-x86_64.zip
Write-Host "Extracting Elastic Agent..."
Expand-Archive .\elastic-agent-8.16.2-windows-x86_64.zip -DestinationPath .
cd elastic-agent-8.16.2-windows-x86_64
# Run the installation as Administrator
Write-Host "Installing Elastic Agent..."
$process = Start-Process .\elastic-agent.exe -ArgumentList "install", "--url=$(ELASTIC_URL)", "--enrollment-token=$(ENROLLMENT_TOKEN)", "-f", "--insecure", "-v" -Verb RunAs -PassThru
$process.WaitForExit()
if ($process.ExitCode -ne 0) {
Write-Host "Elastic Agent installation failed with exit code $($process.ExitCode)"
}
Write-Host "Elastic Agent installed successfully."
displayName: 'Enroll Client as Administrator'
- powershell: |
Write-Host "Checking Elastic Agent status every 10 seconds for up to 5 minutes..."
$maxRetries = 30 # 5 minutes / 10 seconds
$retryDelay = 10 # seconds
$retryCount = 0
$isHealthy = $false
while ($retryCount -lt $maxRetries) {
$agentStatus = & 'C:\Program Files\Elastic\Agent\elastic-agent.exe' status
if ($agentStatus -match "Healthy") {
Write-Host "Elastic Agent is healthy."
$isHealthy = $true
break
}
Write-Host "Elastic Agent is not healthy yet. Retrying in $retryDelay seconds... (Attempt $($retryCount + 1) of $maxRetries)"
Start-Sleep -Seconds $retryDelay
$retryCount++
}
if (-not $isHealthy) {
Write-Error "Elastic Agent did not become healthy within the timeout period. Final status output:"
Write-Host $agentStatus
exit 1
}
displayName: 'Check Elastic Agent Health'
- powershell: |
Write-Host "Collecting logs from Elastic Agent .ndjson files..."
# Define the path for the .ndjson files
$ndjsonFiles = Get-ChildItem -Path "C:\Program Files\Elastic\Agent" -Filter "*.ndjson"
foreach ($file in $ndjsonFiles) {
Write-Host "Displaying log contents for file: $($file.Name)"
Get-Content $file.FullName | Where-Object { $_ -match "error|warning" } | ForEach-Object { Write-Host $_ }
}
Write-Host "Collecting logs from the Elastic Agent diagnostics ZIP file..."
# Path to the diagnostic ZIP file
$zipFile = "C:\Program Files\Elastic\Agent\elastic-agent-diagnostics-2024-12-03T14-06-39Z-00.zip"
if (Test-Path $zipFile) {
Write-Host "Unzipping diagnostic file to inspect for errors or warnings..."
# Unzip the diagnostic file to a temporary location
$extractPath = "C:\Program Files\Elastic\Agent\diagnostic_temp"
Expand-Archive -Path $zipFile -DestinationPath $extractPath -Force
# Search for errors or warnings in the extracted logs
$diagnosticLogs = Get-ChildItem -Path $extractPath -Recurse -Filter "*.log"
foreach ($log in $diagnosticLogs) {
Write-Host "Inspecting log file: $($log.FullName)"
Get-Content $log.FullName | Where-Object { $_ -match "error|warning" } | ForEach-Object { Write-Host $_ }
}
# Clean up the extracted files
Remove-Item -Path $extractPath -Recurse -Force
} else {
Write-Host "Elastic Agent diagnostic ZIP file not found at $zipFile"
}
Write-Host "Collecting and displaying Elastic Agent configuration logs..."
# Display any issues in the Elastic Agent configuration files
$configFiles = @("elastic-agent.yml", "elastic-agent.reference.yml", "elastic-agent.yml.2024-12-03T13-06-15.8451.bak")
$configPathBase = "C:\Program Files\Elastic\Agent"
foreach ($configFile in $configFiles) {
$configPath = Join-Path -Path $configPathBase -ChildPath $configFile
if (Test-Path $configPath) {
Write-Host "Displaying contents of config file: $configFile"
Get-Content $configPath | Where-Object { $_ -match "error|warning" } | ForEach-Object { Write-Host $_ }
} else {
Write-Host "Config file $configFile not found at $configPath"
}
}
Write-Host "Scanning all other logs for errors and warnings..."
# Scan all other log files within the Elastic Agent directory
$otherLogFiles = Get-ChildItem -Path "C:\Program Files\Elastic\Agent" -Recurse -Include "*.log", "*.yml", "*.txt", "*.json", "*.ndjson"
foreach ($logFile in $otherLogFiles) {
Write-Host "Scanning file: $($logFile.FullName)"
Get-Content $logFile.FullName | Where-Object { $_ -match "error|warning" } | ForEach-Object { Write-Host $_ }
}
displayName: 'Display Errors and Warnings from Log Files'
- powershell: |
# Step 1: Register a new Event Source in the Application log
New-EventLog -LogName Application -Source TestSource
# Step 2: Write an event with a custom message to the Application log
Write-EventLog -LogName Application -Source TestSource -EntryType Information -EventId 1234 -Message "Test OpenProcess log"
Write-Host "Event log successfully created and written to Application log."
displayName: 'Create Event Log for TestSource'
- powershell: |
# Define log name and custom source
$logName = "Microsoft-Windows-PowerShell/Operational"
$sourceName = "T1055.012 Simulation"
# Check if the event source already exists
if (-not [System.Diagnostics.EventLog]::SourceExists($sourceName)) {
# Create the event source and map it to the PowerShell Operational log
New-EventLog -LogName $logName -Source $sourceName
Write-Host "Created event source '$sourceName' in log '$logName'."
} else {
Write-Host "Event source '$sourceName' already exists in log '$logName'."
}
# Manually simulate logs with 'Start-Hollow' in the message
$eventMessages = @(
"Process hollowing detected: Start-Hollow.",
"Injected process started with suspicious behavior.",
"Potential process injection using atomic technique T1055.012."
)
# Loop to create multiple simulated logs
foreach ($message in $eventMessages) {
Write-EventLog -LogName $logName -Source $sourceName -EventId 1001 -EntryType Warning -Message $message
Write-Host "Simulated event created: $message"
}
Write-Host "Simulation complete. Check '$logName' for the generated events."
displayName: 'Create Event Log for Simulating T1055.012'
- powershell: |
Write-Host "Checking Elastic Agent service status and repairing if necessary..."
# Check if Elastic Agent service is running
$agentService = Get-Service -Name 'Elastic Agent'
if ($agentService.Status -ne "Running") {
Write-Host "Elastic Agent service is not running. Attempting to repair..."
Stop-Service -Name ElasticAgent
Start-Process "C:\Program Files\Elastic\Agent\elastic-agent.exe" -ArgumentList "reset" -Wait
Start-Service -Name ElasticAgent
} else {
Write-Host "Elastic Agent service is running fine."
}
# Ensure all necessary services are present
$services = @("ElasticEndpoint", "ElasticEndpointDriver", "ElasticELAMDriver")
foreach ($service in $services) {
$serviceStatus = Get-Service -Name $service -ErrorAction SilentlyContinue
if ($null -eq $serviceStatus) {
Write-Error "$service service is missing. Please check the Elastic Agent installation."
exit 1
} else {
Write-Host "$service service is present."
}
}
# Recheck Elastic Agent status
$agentStatus = & 'C:\Program Files\Elastic\Agent\elastic-agent.exe' status
if ($agentStatus -match "Healthy") {
Write-Host "Elastic Agent is healthy."
} else {
Write-Error "Elastic Agent is not healthy. Please check the agent logs for more details."
exit 1
}
displayName: 'Check and Repair Elastic Agent Services'
- stage: Setup_And_Run_Tests
displayName: "Clone and Run Atomic Red Team Tests"
jobs:
- job: Clone_And_Run_Tests
displayName: "Clone Atomic Red Team Repo and Run Tests"
pool:
vmImage: 'windows-latest'
steps:
# Step 1: Checkout the repository
- checkout: self
- powershell: |
# Step 1: Temporarily set the execution policy to bypass
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
Write-Host "Install the required modules..."
Install-Module -Name Invoke-AtomicRedTeam, powershell-yaml -Scope CurrentUser -Force
Write-Host "Importing the Invoke-AtomicRedTeam module..."
Import-Module Invoke-AtomicRedTeam
Write-Host "Download the Atomic Red Team techniques..."
IEX (IWR '.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force
Write-Host "Run the atomic test for the specified technique..."
$techniqueID = "$(TestID)"
Write-Host "Running Atomic Test for Technique: $techniqueID"
Invoke-AtomicTest $techniqueID -Verbose
# Step 6: Handle test completion and log results
if ($?) {
Write-Host "Atomic test for $techniqueID completed successfully."
} else {
Write-Error "Atomic test for $techniqueID failed. Please check the logs for details."
}
displayName: "Run Atomic Red Team Test"
- powershell: |
# Check if the 'Microsoft-Windows-PowerShell/Operational' log exists
$logName = 'Microsoft-Windows-PowerShell/Operational'
# Get all event logs available on the system
$availableLogs = Get-WinEvent -ListLog *
# Check if the log exists in the list
if ($availableLogs.LogName -contains $logName) {
Write-Host "Log found: $logName"
# Query the log for events with 'Start-Hollow' in the message
$events = Get-WinEvent -LogName $logName | Where-Object { $_.Message -like '*Start-Hollow*' }
# Output the matching events
if ($events) {
Write-Host "Found events with 'Start-Hollow':"
$events | Format-Table TimeCreated, Message -AutoSize
} else {
Write-Host "No 'Start-Hollow' events found in the log."
}
} else {
Write-Host "Log not found: $logName"
}
displayName: "Check locally for logs"
- powershell: |
Write-Host "Waiting for 5 minutes to ensure all logs are sent..."
Start-Sleep -Seconds 300
Write-Host "Resuming pipeline after wait."
displayName: "Wait for Logs to be Sent"
The pipeline runs successfully without any errors. At the step Create Event Log for TestSource I create a windows event log for testing, for which i configured an alert in elastic. The query of the alert is:
event.category:process and host.os.type:windows and powershell.file.script_block_text: "Test OpenProcess"
The step in the pipeline successfully creates the event and triggers the alert. When I do the same in step Create Event Log for Simulating T1055.012, the custom alert is not triggered. This is the query of the custom alert for simulating the atomic test:
event.category:process and host.os.type:windows and powershell.file.script_block_text: "Start-Hollow"
This custom rule is only triggered when I run the atomic test on my local machine. On both my local machine and the azure client i can see logs from the datastream data_stream.dataset : "windows.powershell_operational".
What am I doing wrong? The azure client successfully enrolls as an agent with the same policy as my local machine, it successfully runs the atomic tests, the logs are available locally (at step Check locally for logs), but I cannot see these logs in elastic. Please help
I have an elastic environment with two agents enrolled on the fleet server. One Agent is my local machine, the other agent is a windows client from azure pipeline. The goal is to run the azure pipeline, run the atomic red team test (T1055.012) and trigger the alert in elastic. When I run the atomic test from my local machine, the alerts are triggered like expected. However, when i do the exact same thing on the windows client on the azure pipeline, the alert is not triggered. This is the pipeline:
trigger:
- main # Manual trigger required
pool:
vmImage: 'windows-latest'
parameters:
- name: VPN_USERNAME
displayName: "VPN Username"
type: string
default: ""
- name: VPN_PASSWORD
displayName: "VPN Password"
type: string
default: ""
variables:
VPN_SERVER: (redacted)
PING_SERVER: (redacted)
ELASTIC_URL: (redacted)
ENROLLMENT_TOKEN: (redacted)
KIBANA_URL: (redacted)
KIBANA_API_KEY: (redacted)
TestID: "T1055.012"
# Map parameters to variables
VPN_USERNAME: ${{ parameters.VPN_USERNAME }}
VPN_PASSWORD: ${{ parameters.VPN_PASSWORD }}
stages:
- stage: Setup_And_Enroll
displayName: "Set up VPN and Enroll Client"
jobs:
- job: InstallAndConnectVPN
displayName: 'Install Cisco AnyConnect and Connect to VPN'
steps:
(Connect to VPN, redacted)
- powershell: |
# Download and Install Elastic Agent as Administrator
$ProgressPreference = 'SilentlyContinue'
Write-Host "Downloading Elastic Agent..."
Invoke-WebRequest -Uri https://artifacts.elastic.co/downloads/beats/elastic-agent/elastic-agent-8.16.2-windows-x86_64.zip -OutFile elastic-agent-8.16.2-windows-x86_64.zip
Write-Host "Extracting Elastic Agent..."
Expand-Archive .\elastic-agent-8.16.2-windows-x86_64.zip -DestinationPath .
cd elastic-agent-8.16.2-windows-x86_64
# Run the installation as Administrator
Write-Host "Installing Elastic Agent..."
$process = Start-Process .\elastic-agent.exe -ArgumentList "install", "--url=$(ELASTIC_URL)", "--enrollment-token=$(ENROLLMENT_TOKEN)", "-f", "--insecure", "-v" -Verb RunAs -PassThru
$process.WaitForExit()
if ($process.ExitCode -ne 0) {
Write-Host "Elastic Agent installation failed with exit code $($process.ExitCode)"
}
Write-Host "Elastic Agent installed successfully."
displayName: 'Enroll Client as Administrator'
- powershell: |
Write-Host "Checking Elastic Agent status every 10 seconds for up to 5 minutes..."
$maxRetries = 30 # 5 minutes / 10 seconds
$retryDelay = 10 # seconds
$retryCount = 0
$isHealthy = $false
while ($retryCount -lt $maxRetries) {
$agentStatus = & 'C:\Program Files\Elastic\Agent\elastic-agent.exe' status
if ($agentStatus -match "Healthy") {
Write-Host "Elastic Agent is healthy."
$isHealthy = $true
break
}
Write-Host "Elastic Agent is not healthy yet. Retrying in $retryDelay seconds... (Attempt $($retryCount + 1) of $maxRetries)"
Start-Sleep -Seconds $retryDelay
$retryCount++
}
if (-not $isHealthy) {
Write-Error "Elastic Agent did not become healthy within the timeout period. Final status output:"
Write-Host $agentStatus
exit 1
}
displayName: 'Check Elastic Agent Health'
- powershell: |
Write-Host "Collecting logs from Elastic Agent .ndjson files..."
# Define the path for the .ndjson files
$ndjsonFiles = Get-ChildItem -Path "C:\Program Files\Elastic\Agent" -Filter "*.ndjson"
foreach ($file in $ndjsonFiles) {
Write-Host "Displaying log contents for file: $($file.Name)"
Get-Content $file.FullName | Where-Object { $_ -match "error|warning" } | ForEach-Object { Write-Host $_ }
}
Write-Host "Collecting logs from the Elastic Agent diagnostics ZIP file..."
# Path to the diagnostic ZIP file
$zipFile = "C:\Program Files\Elastic\Agent\elastic-agent-diagnostics-2024-12-03T14-06-39Z-00.zip"
if (Test-Path $zipFile) {
Write-Host "Unzipping diagnostic file to inspect for errors or warnings..."
# Unzip the diagnostic file to a temporary location
$extractPath = "C:\Program Files\Elastic\Agent\diagnostic_temp"
Expand-Archive -Path $zipFile -DestinationPath $extractPath -Force
# Search for errors or warnings in the extracted logs
$diagnosticLogs = Get-ChildItem -Path $extractPath -Recurse -Filter "*.log"
foreach ($log in $diagnosticLogs) {
Write-Host "Inspecting log file: $($log.FullName)"
Get-Content $log.FullName | Where-Object { $_ -match "error|warning" } | ForEach-Object { Write-Host $_ }
}
# Clean up the extracted files
Remove-Item -Path $extractPath -Recurse -Force
} else {
Write-Host "Elastic Agent diagnostic ZIP file not found at $zipFile"
}
Write-Host "Collecting and displaying Elastic Agent configuration logs..."
# Display any issues in the Elastic Agent configuration files
$configFiles = @("elastic-agent.yml", "elastic-agent.reference.yml", "elastic-agent.yml.2024-12-03T13-06-15.8451.bak")
$configPathBase = "C:\Program Files\Elastic\Agent"
foreach ($configFile in $configFiles) {
$configPath = Join-Path -Path $configPathBase -ChildPath $configFile
if (Test-Path $configPath) {
Write-Host "Displaying contents of config file: $configFile"
Get-Content $configPath | Where-Object { $_ -match "error|warning" } | ForEach-Object { Write-Host $_ }
} else {
Write-Host "Config file $configFile not found at $configPath"
}
}
Write-Host "Scanning all other logs for errors and warnings..."
# Scan all other log files within the Elastic Agent directory
$otherLogFiles = Get-ChildItem -Path "C:\Program Files\Elastic\Agent" -Recurse -Include "*.log", "*.yml", "*.txt", "*.json", "*.ndjson"
foreach ($logFile in $otherLogFiles) {
Write-Host "Scanning file: $($logFile.FullName)"
Get-Content $logFile.FullName | Where-Object { $_ -match "error|warning" } | ForEach-Object { Write-Host $_ }
}
displayName: 'Display Errors and Warnings from Log Files'
- powershell: |
# Step 1: Register a new Event Source in the Application log
New-EventLog -LogName Application -Source TestSource
# Step 2: Write an event with a custom message to the Application log
Write-EventLog -LogName Application -Source TestSource -EntryType Information -EventId 1234 -Message "Test OpenProcess log"
Write-Host "Event log successfully created and written to Application log."
displayName: 'Create Event Log for TestSource'
- powershell: |
# Define log name and custom source
$logName = "Microsoft-Windows-PowerShell/Operational"
$sourceName = "T1055.012 Simulation"
# Check if the event source already exists
if (-not [System.Diagnostics.EventLog]::SourceExists($sourceName)) {
# Create the event source and map it to the PowerShell Operational log
New-EventLog -LogName $logName -Source $sourceName
Write-Host "Created event source '$sourceName' in log '$logName'."
} else {
Write-Host "Event source '$sourceName' already exists in log '$logName'."
}
# Manually simulate logs with 'Start-Hollow' in the message
$eventMessages = @(
"Process hollowing detected: Start-Hollow.",
"Injected process started with suspicious behavior.",
"Potential process injection using atomic technique T1055.012."
)
# Loop to create multiple simulated logs
foreach ($message in $eventMessages) {
Write-EventLog -LogName $logName -Source $sourceName -EventId 1001 -EntryType Warning -Message $message
Write-Host "Simulated event created: $message"
}
Write-Host "Simulation complete. Check '$logName' for the generated events."
displayName: 'Create Event Log for Simulating T1055.012'
- powershell: |
Write-Host "Checking Elastic Agent service status and repairing if necessary..."
# Check if Elastic Agent service is running
$agentService = Get-Service -Name 'Elastic Agent'
if ($agentService.Status -ne "Running") {
Write-Host "Elastic Agent service is not running. Attempting to repair..."
Stop-Service -Name ElasticAgent
Start-Process "C:\Program Files\Elastic\Agent\elastic-agent.exe" -ArgumentList "reset" -Wait
Start-Service -Name ElasticAgent
} else {
Write-Host "Elastic Agent service is running fine."
}
# Ensure all necessary services are present
$services = @("ElasticEndpoint", "ElasticEndpointDriver", "ElasticELAMDriver")
foreach ($service in $services) {
$serviceStatus = Get-Service -Name $service -ErrorAction SilentlyContinue
if ($null -eq $serviceStatus) {
Write-Error "$service service is missing. Please check the Elastic Agent installation."
exit 1
} else {
Write-Host "$service service is present."
}
}
# Recheck Elastic Agent status
$agentStatus = & 'C:\Program Files\Elastic\Agent\elastic-agent.exe' status
if ($agentStatus -match "Healthy") {
Write-Host "Elastic Agent is healthy."
} else {
Write-Error "Elastic Agent is not healthy. Please check the agent logs for more details."
exit 1
}
displayName: 'Check and Repair Elastic Agent Services'
- stage: Setup_And_Run_Tests
displayName: "Clone and Run Atomic Red Team Tests"
jobs:
- job: Clone_And_Run_Tests
displayName: "Clone Atomic Red Team Repo and Run Tests"
pool:
vmImage: 'windows-latest'
steps:
# Step 1: Checkout the repository
- checkout: self
- powershell: |
# Step 1: Temporarily set the execution policy to bypass
Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass -Force
Write-Host "Install the required modules..."
Install-Module -Name Invoke-AtomicRedTeam, powershell-yaml -Scope CurrentUser -Force
Write-Host "Importing the Invoke-AtomicRedTeam module..."
Import-Module Invoke-AtomicRedTeam
Write-Host "Download the Atomic Red Team techniques..."
IEX (IWR 'https://raw.githubusercontent.com/redcanaryco/invoke-atomicredteam/master/install-atomicredteam.ps1' -UseBasicParsing);
Install-AtomicRedTeam -getAtomics -Force
Write-Host "Run the atomic test for the specified technique..."
$techniqueID = "$(TestID)"
Write-Host "Running Atomic Test for Technique: $techniqueID"
Invoke-AtomicTest $techniqueID -Verbose
# Step 6: Handle test completion and log results
if ($?) {
Write-Host "Atomic test for $techniqueID completed successfully."
} else {
Write-Error "Atomic test for $techniqueID failed. Please check the logs for details."
}
displayName: "Run Atomic Red Team Test"
- powershell: |
# Check if the 'Microsoft-Windows-PowerShell/Operational' log exists
$logName = 'Microsoft-Windows-PowerShell/Operational'
# Get all event logs available on the system
$availableLogs = Get-WinEvent -ListLog *
# Check if the log exists in the list
if ($availableLogs.LogName -contains $logName) {
Write-Host "Log found: $logName"
# Query the log for events with 'Start-Hollow' in the message
$events = Get-WinEvent -LogName $logName | Where-Object { $_.Message -like '*Start-Hollow*' }
# Output the matching events
if ($events) {
Write-Host "Found events with 'Start-Hollow':"
$events | Format-Table TimeCreated, Message -AutoSize
} else {
Write-Host "No 'Start-Hollow' events found in the log."
}
} else {
Write-Host "Log not found: $logName"
}
displayName: "Check locally for logs"
- powershell: |
Write-Host "Waiting for 5 minutes to ensure all logs are sent..."
Start-Sleep -Seconds 300
Write-Host "Resuming pipeline after wait."
displayName: "Wait for Logs to be Sent"
The pipeline runs successfully without any errors. At the step Create Event Log for TestSource I create a windows event log for testing, for which i configured an alert in elastic. The query of the alert is:
event.category:process and host.os.type:windows and powershell.file.script_block_text: "Test OpenProcess"
The step in the pipeline successfully creates the event and triggers the alert. When I do the same in step Create Event Log for Simulating T1055.012, the custom alert is not triggered. This is the query of the custom alert for simulating the atomic test:
event.category:process and host.os.type:windows and powershell.file.script_block_text: "Start-Hollow"
This custom rule is only triggered when I run the atomic test on my local machine. On both my local machine and the azure client i can see logs from the datastream data_stream.dataset : "windows.powershell_operational".
What am I doing wrong? The azure client successfully enrolls as an agent with the same policy as my local machine, it successfully runs the atomic tests, the logs are available locally (at step Check locally for logs), but I cannot see these logs in elastic. Please help
I solved the "problem", i did not realize that for each job azure creates a new windows client. The atomic red team tests ran on a different client which was not enrolled in the fleet server.