Bulk Indexing of signals failed: object mapping for [host] tried to parse field [host] as object, but found a concrete value name: "<rule name>:<random id>" rule id: "<rule_id>" signals index: ".siem-signals-default"
So above reason we are getting in 'failure history' of some rules
Though the query is triggering alerts in preview while creating rule after activation it's not triggering any alerts
Things which i found might be concern:
-
In X index, mapping is dynamic, host field is present in template as object,. Detection Rules which are based on x index are able to trigger alerts, no issue facing in them
-
In Y, Z, A index the mapping is dynamic , host field is not present in template, but m considering the value is getting fetched as string
-
In siem-signals-default index template , i think host field is fetched as object.
Is there any way we can fetch host field from different indices with different types( object | string )in seim-signals-default index
Please help