hi guys am facing an issue with all prebuilt rules in Elasticsearch, when I enable the rules it runs with the following error
An error occurred during rule execution: message: "verification_exception Root causes: verification_exception: Found 4 problems line 2:4: Unknown column [event.category], did you mean any of [event.action, event.code, event.created, event.outcome, event.code.keyword, event.action.keyword, event.kind.keyword]? line 3:5: Unknown column [winlog.logon.type], did you mean any of [winlog.user.type, winlog.event_id, winlog.opcode, winlog.user.name, winlog.activity_id, winlog.event_data.Type]? line 4:5: Unknown column [source.ip] line 4:79: Unknown column [user.name], did you mean any of [agent.name, winlog.user.name, host.name, host.os.name]?"
this error is on the rule with name "Privileged Account Brute Force"
I am using the winlogbeat
but it seems that the issue on all rules since the fields mapping differs between the rules and the winlogbeat index
the rule EQL syntax is
sequence by winlog.computer_name, source.ip with maxspan=10s [authentication where host.os.type == "windows" and event.action == "logon-failed" and winlog.logon.type : "Network" and source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and /* noisy failure status codes often associated to authentication misconfiguration */ not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5