Elastic detection rules fail

xqaiviwjxzw · May 29, 2023, 4:25am

Rule failure at May 29, 2023 @ 12:09:44.438
Bulk Indexing of signals failed: ResponseError: search_phase_execution_exception

Caused by:

illegal_argument_exception: Can't sort on field [event.ingested]; the field has incompatible sort types: [STRING] and [LONG] across shards!

Elasticity detection rules display a large number of fail errors. What is the reason? What is the solution? Thanks.

vitaliidm · June 2, 2023, 3:46pm

Hi @xqaiviwjxzw

Can you please tell which version of Elasticsearch/Kibana are you using?
Looking at error, it seems like your rule queries indices that have different mapping for "event.ingested". According to ECS schema event.ingested should be of date format: Event Fields | Elastic Common Schema (ECS) Reference [8.8] | Elastic
Can you please check mapping for queried indices to understand whether my hypothesis is correct?
If it so, there are few ways to proceed

Ensure all indices that rule queries, have the same mapping for event.ingested. Can be achieved by editing rule, removing indices that have different mapping. Another rule can be added that have the removed indices from the first one
Reindexing the data to ensure it has the same format, preferably ECS compliant date across all indices

Thanks, Vitalii

system · June 30, 2023, 3:46pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Detection Rules Fail Index issues Elastic Security	9	2554	November 4, 2022
Field [event.ingested] of type [keyword] does not support custom formats Elasticsearch	2	385	December 12, 2022
Rule Failure Elastic Security	5	61	October 1, 2024
Elastic 7.9.1 - Security (SIEM) - Your visualization has error(s) - [illegal_argument_exception] SIEM	16	2246	November 9, 2020
Error after switching to ECS: 1 of 2 shards failed The data you are seeing might be incomplete or wrong Kibana ecs-elastic-common-schema	2	1264	October 29, 2020

Elastic detection rules fail

Related topics