Let's make sure the mapping for event.module
is keyword
for all the indicies in your environment.
The default indicies used by the Security app
By default, the Security app displays data from the following Elasticsearch indicies, as specified in the securitySolution:defaultIndex
Kibana Advanced setting:
apm-*-transaction*, auditbeat-*, endgame-*, filebeat-*, logs-*, packetbeat-*, winlogbeat-*
Note: You can view the above Kibana Advanced setting via Stack Management > Kibana > Advanced Settings
.
About the _mapping
API examples in this reply
The next section makes use of the _mapping
API to view the mappings for indicies that match the index patterns specified in the securitySolution:defaultIndex
Kibana Advanced setting.
To provide the example output in this reply, I spun up a fresh instance of 7.9.2
in Elastic Cloud, and then ingested data from Auditbeat on my Mac to populate the Security app with data:
./auditbeat setup
./auditbeat -e
Using the _mapping
API
Let's use the mapping API to view the mappings for each of the indexes specified in the securitySolution:defaultIndex
Kibana Advanced setting.
To get started, navigate to Management > Dev Tools
.
In the next sections, we'll execute commands in the Dev Tools
.
apm-*-transaction*
Execute the following query, for the first index specified securitySolution:defaultIndex
Kibana Advanced setting, apm-*-transaction*
:
GET /apm-*-transaction*/_mapping/field/event.module
The output for the above command in the environment described above is:
{
"apm-7.9.2-transaction-000001" : {
"mappings" : {
"event.module" : {
"full_name" : "event.module",
"mapping" : {
"module" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
}
}
The output above shows the mapping for event.moulde
in the apm-7.9.2-transaction-000001
index.
auditbeat-*
Execute the following query:
GET /auditbeat-*/_mapping/field/event.module
The output for the above command in the environment described above is:
{
"auditbeat-7.9.2-2020.09.29-000001" : {
"mappings" : {
"event.module" : {
"full_name" : "event.module",
"mapping" : {
"module" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
}
}
endgame-*
Execute the following query:
GET /endgame-*/_mapping/field/event.module
The output for the above command in the environment described above is:
{ }
filebeat-*
Execute the following query:
GET /filebeat-*/_mapping/field/event.module
The output for the above command in the environment described above is:
{ }
Since you ingested data via Filebeat in your environment, I would expect to see one or more indicies when the GET
command above is run.
logs-*
Execute the following query:
GET /logs-*/_mapping/field/event.module
The output for the above command in the environment described above is:
{ }
`packetbeat-*
Execute the following query:
GET /packetbeat-*/_mapping/field/event.module
The output for the above command in the environment described above is:
{ }
winlogbeat-*
Execute the following query:
GET /winlogbeat-*/_mapping/field/event.module
The output for the above command in the environment described above is:
{ }
Since you ingested data via Winlogbeat in your environment, you may see one or more indicies when the GET
command above is run.
Mappings for Detections indicies
If you activated any detection rules, detection alerts will also be written indexes that match the .siem-signals-default
index pattern. To view the event.module
mappings for Detections indicies, execute the following query:
GET /.siem-signals-default/_mapping/field/event.module
The output for the above command in the environment described above is:
{
".siem-signals-default-000001" : {
"mappings" : {
"event.module" : {
"full_name" : "event.module",
"mapping" : {
"module" : {
"type" : "keyword",
"ignore_above" : 1024
}
}
}
}
}
}
The output above shows detection alerts were enabled in the sample environment described above, and indexed into the .siem-signals-default-000001
.
@Derick_Jansen, would you be willing to validate the mappings for event.module
via the steps above?