Detection Custom Rule not working

We are unable to view custom alerts in the detection module. Showing error as below:


Hey there @anaghadeoreofficial -- welcome to the community! :wave:

Not sure what version you're on, but if you're below 7.12, there's a chance it could be this issue, where a rule with invalid fields is preventing the table from loading. Have you by chance used the Import rule functionality to import any custom or modified rules? The error itself points towards a potentially invalid query filter on the rule, so that would be suspect.

If it is indeed the above issue, recovery steps at this point would be to delete the problem rule. You should be able to do this via the Alerts and Actions UI under Stack Management, or leveraging the Detections API.

Note: the Alerts and Actions UI was not designed to for managing Security Detection Rules, however it should suffice for this as it has less strict validation when returning results.

If this turns out not to be your issue, could you please provide more information about your deployment (version, hosting, etc), and rules you're using?

Hope this helps -- cheers!

Chatted a bit with @Frank_Hassanabad, and upon further inspection this doesn't appear to be related to #93325. This is an ES error bubbling up, similar to this other recent discuss.

Can you verify the following?

  • Are you seeing this error on any other pages within Kibana? Does navigating to Stack Monitoring show this error?
  • What version and type of deployment are you on?
  • Can you share the current user's role definition, and any configured document level security options that may be present?
  • Did this start happening after a specific configuration change, or addition of new rules? If so, can you provide more details as to what changes, or the rules in question?

We should be able to debug further with the above information -- thanks!


Hey, @spong as you mentioned above, YES I am seeing this error in the Stack monitoring section also.
-Our deployment is on-premises and we are using version --> Kibana version 7.11
-I am having a superuser role access which concludes that having all privileges for Elastic clusters, indices, and kibana spaces.
-Also yes we activate around 200 prebuild elastic rules in bulk and after that, we are facing these kinds of errors in detection rule and stack monitoring.