Bulk Indexing of signals failed: object mapping for [host] tried to parse field [host] as object, but found a concrete value name

Hi team,

the parser used for Kaspersky, more precisely in the host field, does not allow the triggering of the rule relating to the detection of malicious files once the conditions are met.


Can you please tell which version of ES/Kibana are you using?
Looking at error, it seems like host property is not ECS compliant.
It should be object: Host Fields | Elastic Common Schema (ECS) Reference [8.8] | Elastic, not a string.

There are 2 ways to proceed:

  1. In 8.7, we implemented removing from alert source document ECS non compliant data: [Security Solution][Alerts] Strip ECS-incompatible fields before writing alerts · Issue #146848 · elastic/kibana · GitHub. It will allow to trigger alert, but string type host, will be removed from alert. It will be logged though
  2. Reindex data, so it will be compliant. I.e. host can become compliant "host.name" Host Fields | Elastic Common Schema (ECS) Reference [8.8] | Elastic

Thanks, Vitalii

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.