Hi @Frank_Hassanabad,
Thank you for your reply.
Here the rule export
{"author":[],"actions":[],"created_at":"2020-10-21T14:10:58.170Z","updated_at":"2020-10-21T14:58:36.538Z","created_by":"acristal","description":"Rogue AP Detection","enabled":true,"false_positives":[],"filters":[],"from":"now-3900s","id":"376e5caf-7fa0-4657-87b5-33ee249f9b3b","immutable":false,"index":["forti-logs*"],"interval":"5m","rule_id":"b57a7041-d90f-4023-adf4-09e19182dcea","language":"kuery","license":"","output_index":".siem-signals-siem","max_signals":100,"risk_score":74,"risk_score_mapping":[],"name":"Rogue AP Detection","query":"logid: \"0104043563\"","references":[],"meta":{"from":"60m","kibana_siem_app_url":"https://192.168.1.93:5601/s/siem/app/security"},"severity":"critical","severity_mapping":[],"updated_by":"acristal","tags":[],"to":"now","type":"query","threat":[],"throttle":"no_actions","version":2,"exceptions_list":[]}
{"exported_count":1,"missing_rules":[],"missing_rules_count":0}
Also my index mapping
Index Mapping
It seems that the are something it the space SIEM that broke the rule. I did a few tests.
Here the results in order to provide more information:
-
I've create another space called IGOR, export ALL objects from SIEM and imported into IGOR.
Then I create the detection rule, same error. -
I've created a 3rd space called Test, export ONLY Index-patterns, dashboards, visualizations, maps, searches and lens from SIEM into Test.
Then I've create the same rule in the new one and I do not have the error (although It is not working as expected. Same problem that Detections with custom query) -
I have a separate ELK instance running with an space called SIEM. I create the rule and after a few successful execution, have the same error
My conclusion is that the error is somehow related to the name space "SIEM" event when created a new Space with a different name and import ALL objects into the new space, some configuration could remain with the siem name and broke the rule.
Thank you and sorry for my long reply
Regards
Anna