hi guys am facing an issue with all prebuilt rules in Elasticsearch, when I enable the rules it runs with the following error
An error occurred during rule execution: message: "verification_exception
Root causes:
verification_exception: Found 4 problems
line 2:4: Unknown column [event.category], did you mean any of [event.action, event.code, event.created, event.outcome, event.code.keyword, event.action.keyword, event.kind.keyword]?
line 3:5: Unknown column [winlog.logon.type], did you mean any of [winlog.user.type, winlog.event_id, winlog.opcode, winlog.user.name, winlog.activity_id, winlog.event_data.Type]?
line 4:5: Unknown column [source.ip]
line 4:79: Unknown column [user.name], did you mean any of [agent.name, winlog.user.name, host.name, host.os.name]?"
this error is on the rule with name "Privileged Account Brute Force"
I am using the winlogbeat
but it seems that the issue on all rules since the fields mapping differs between the rules and the winlogbeat index
the rule EQL syntax is
sequence by winlog.computer_name, source.ip with maxspan=10s
[authentication where host.os.type == "windows" and event.action == "logon-failed" and
winlog.logon.type : "Network" and
source.ip != null and source.ip != "127.0.0.1" and source.ip != "::1" and user.name : "*admin*" and
/* noisy failure status codes often associated to authentication misconfiguration */
not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5
