An ECS compliant Kibana index pattern must be configured to view event data on the map

MarcusCaepio · November 29, 2019, 1:05pm

Hi all,
I am using Filebeat module cisco to get logs. I am not storing this logs in an index called filebeat-* but cisco-*. To get the correct mapping for this pattern, I exported the filebeat template and imported it for the pattern cisco-*. Anyway, the SIEM Network Map tells me that

An ECS compliant Kibana index pattern must be configured to view event data on the map. When using beats, you can run the following setup commands to create the required Kibana index patterns, otherwise you can configure them manually within Kibana settings.

I already added cisco-* to the default SIEM index search in management. But this doesn't seem to be solution. How can I add the cisco-* to the map?

Cheers,
Marcus

tudor · November 29, 2019, 2:14pm

Hi Marcus,

To confirm, you need two things:

Add cisco-* for "SIEM Elasticsearch indices" under the Kibana Advanced Settings
A Kibana index pattern for cisco-*, which you can add under Kibana Management / Index Patterns.

Do you have both?

MarcusCaepio · November 29, 2019, 3:23pm

Seems, it was my fault.
I added cisco-* to my SIEM settings, but the index pattern was set to cisco-asa-*. After changing it to cisco-* the error disappeared.

Cheers,
Marcus

wconnell · December 4, 2019, 7:23pm

I'm seeing this same error after upgrading to v7.5. I think it's due to an inconsistency in the field name that the visualization is looking for. ECS normalizes destination fields to the destination base name, but the documentation in v7.5 suddenly says to use the dest base field. See the screenshot attached.

I have geolocation data stored as a geo_point field at destination.geo.location. I've got a custom visualization in my other dashboards that renders data from the same index just fine.

Ben_Skelker · December 5, 2019, 2:02pm

Thanks for pointing that out. I've opened a PR to fix it.