Detection Custom Rule not working

We are unable to view custom alerts in the detection module. Showing error as below:


Hey there @anaghadeoreofficial -- welcome to the community! :wave:

Not sure what version you're on, but if you're below 7.12, there's a chance it could be this issue, where a rule with invalid fields is preventing the table from loading. Have you by chance used the Import rule functionality to import any custom or modified rules? The error itself points towards a potentially invalid query filter on the rule, so that would be suspect.

If it is indeed the above issue, recovery steps at this point would be to delete the problem rule. You should be able to do this via the Alerts and Actions UI under Stack Management, or leveraging the Detections API.

Note: the Alerts and Actions UI was not designed to for managing Security Detection Rules, however it should suffice for this as it has less strict validation when returning results.

If this turns out not to be your issue, could you please provide more information about your deployment (version, hosting, etc), and rules you're using?

Hope this helps -- cheers!

Chatted a bit with @Frank_Hassanabad, and upon further inspection this doesn't appear to be related to #93325. This is an ES error bubbling up, similar to this other recent discuss.

Can you verify the following?

  • Are you seeing this error on any other pages within Kibana? Does navigating to Stack Monitoring show this error?
  • What version and type of deployment are you on?
  • Can you share the current user's role definition, and any configured document level security options that may be present?
  • Did this start happening after a specific configuration change, or addition of new rules? If so, can you provide more details as to what changes, or the rules in question?

We should be able to debug further with the above information -- thanks!


Hey, @spong as you mentioned above, YES I am seeing this error in the Stack monitoring section also.
-Our deployment is on-premises and we are using version --> Kibana version 7.11
-I am having a superuser role access which concludes that having all privileges for Elastic clusters, indices, and kibana spaces.
-Also yes we activate around 200 prebuild elastic rules in bulk and after that, we are facing these kinds of errors in detection rule and stack monitoring.

Can you look in there. We are suspicious that you have a filter or something set within the

roles -> Granted documents query

Or as a global index alias level. The stack monitoring is pretty separate from the security solutions application which hints at maybe something global happening where an additional filter or query is being attached when you are querying for some information.

We do have this default permission for the superuser role.

Huh, we haven't seen something like this before since this is effecting stack monitoring and detection engine.

This is very unusual.

If you're not on the latest 7.11.2 I would upgrade to that or even maybe to 7.12.0. That might help things out. If it doesn't help, within both stack monitoring and detection rules can you open up the network panel in chrome and give us the errors from there? As much of the network errors we can have such as the API path, response, etc... would help us figure out why a few people are seeing this problem.

From other conversations this was solved through:

There was version compability issue between elasticsearch(v12) and kibana(v10).
Upgrading the kibana solved all the issues.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.