We are unable to view custom alerts in the detection module. Showing error as below:
Hey there @anaghadeoreofficial -- welcome to the community!
Not sure what version you're on, but if you're below
7.12, there's a chance it could be this issue, where a rule with invalid fields is preventing the table from loading. Have you by chance used the
Import rule functionality to import any custom or modified rules? The error itself points towards a potentially invalid query
filter on the rule, so that would be suspect.
If it is indeed the above issue, recovery steps at this point would be to delete the problem rule. You should be able to do this via the Alerts and Actions UI under Stack Management, or leveraging the Detections API.
Note: the Alerts and Actions UI was not designed to for managing Security Detection Rules, however it should suffice for this as it has less strict validation when returning results.
If this turns out not to be your issue, could you please provide more information about your deployment (version, hosting, etc), and rules you're using?
Hope this helps -- cheers!
Can you verify the following?
Stack Monitoringshow this error?
We should be able to debug further with the above information -- thanks!
Hey, @spong as you mentioned above, YES I am seeing this error in the Stack monitoring section also.
-Our deployment is on-premises and we are using version --> Kibana version 7.11
-I am having a superuser role access which concludes that having all privileges for Elastic clusters, indices, and kibana spaces.
-Also yes we activate around 200 prebuild elastic rules in bulk and after that, we are facing these kinds of errors in detection rule and stack monitoring.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.