We are unable to view custom alerts in the detection module. Showing error as below:
Hey there @anaghadeoreofficial -- welcome to the community!
Not sure what version you're on, but if you're below
7.12, there's a chance it could be this issue, where a rule with invalid fields is preventing the table from loading. Have you by chance used the
Import rule functionality to import any custom or modified rules? The error itself points towards a potentially invalid query
filter on the rule, so that would be suspect.
If it is indeed the above issue, recovery steps at this point would be to delete the problem rule. You should be able to do this via the Alerts and Actions UI under Stack Management, or leveraging the Detections API.
Note: the Alerts and Actions UI was not designed to for managing Security Detection Rules, however it should suffice for this as it has less strict validation when returning results.
If this turns out not to be your issue, could you please provide more information about your deployment (version, hosting, etc), and rules you're using?
Hope this helps -- cheers!
Can you verify the following?
Stack Monitoringshow this error?
We should be able to debug further with the above information -- thanks!
Hey, @spong as you mentioned above, YES I am seeing this error in the Stack monitoring section also.
-Our deployment is on-premises and we are using version --> Kibana version 7.11
-I am having a superuser role access which concludes that having all privileges for Elastic clusters, indices, and kibana spaces.
-Also yes we activate around 200 prebuild elastic rules in bulk and after that, we are facing these kinds of errors in detection rule and stack monitoring.
Can you look in there. We are suspicious that you have a filter or something set within the
roles -> Granted documents query
Or as a global index alias level. The stack monitoring is pretty separate from the security solutions application which hints at maybe something global happening where an additional filter or query is being attached when you are querying for some information.
Huh, we haven't seen something like this before since this is effecting stack monitoring and detection engine.
This is very unusual.
If you're not on the latest 7.11.2 I would upgrade to that or even maybe to 7.12.0. That might help things out. If it doesn't help, within both stack monitoring and detection rules can you open up the network panel in chrome and give us the errors from there? As much of the network errors we can have such as the API path, response, etc... would help us figure out why a few people are seeing this problem.
From other conversations this was solved through:
There was version compability issue between elasticsearch(v12) and kibana(v10). Upgrading the kibana solved all the issues.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.