Hi @Yuriy_Tsarenko, welcome to our community!
I want to ensure that you are aware of Elastic Common Schema (ECS).
The Elastic SIEM/Security app, including its detection rules, signals, and detection alerts, requires your data to be indexed in an ECS-compliant format. ECS is an open source, community-developed schema that specifies field names and Elasticsearch data types for each field, and provides descriptions and example usage.
The easiest way to get your data in ECS-compliant format is to use an Elastic-supplied beat module, (e.g., filebeat or Elastic Agent integration), which will ingest and index your data in an ECS-compliant format. Elastic provides a growing list of these integrations that you can find on our Integrations page.
If you're using a custom data ingestion method (beat, Logstash, Ingest node pipeline), or one provided by a third-party, then you may need to convert your data so that it is in an ECS-compliant format before you can use the SIEM/security app. This can be done by creating your own beat/module, or your own Logstash configuration for each data source, which will convert your data to ECS during the ingestion process.
General guidelines for creating ECS-compliant data:
- Each indexed document (e.g., your log, event, etc.) MUST have the
@timestamp
field.
- Your index mapping template must specify the Elasticsearch field data type for each field as defined by ECS. For example, your
@timestamp
field must be of the date
field data type, etc.. This ensures that there will not be any mapping conflicts in your indices.
- The original fields from your log/event SHOULD be copied/renamed/converted to the corresponding ECS-defined field name and data type.
- Additional ECS fields, such as the ECS Categorization fields SHOULD be populated for each log/event, to allow proper inclusion of your data into dashboards and detection rules.
A list of the specific ECS fields used by the SIEM/Security app is provided in this reference.
I am guessing that your Elasticsearch index mapping for host
may not be compliant with ECS. Your document is using host
to hold an IP address, but ECS defines host
as a field set object with multiple host.*
fields defined here.
Sorry for the information dump, but we've found that non-ECS-compliant data is a common root cause for users who experience problems getting their SIEM/Security app rules/signals to work.
Please let us know if this is helpful.