Elastic prebuilt rules error

hi guys am facing an issue with all prebuilt rules in Elasticsearch, when I enable the rules it runs with the following error

An error occurred during rule execution: message: "verification_exception

Root causes:

verification_exception: Found 4 problems

line 2:4: Unknown column [event.category], did you mean any of [event.action, event.code, event.created, event.outcome, event.code.keyword, event.action.keyword, event.kind.keyword]?

line 3:5: Unknown column [winlog.logon.type], did you mean any of [winlog.user.type, winlog.event_id, winlog.opcode, winlog.user.name, winlog.activity_id, winlog.event_data.Type]?

line 4:5: Unknown column [source.ip]

line 4:79: Unknown column [user.name], did you mean any of [agent.name, winlog.user.name, host.name, host.os.name]?"

this error is on the rule with name "Privileged Account Brute Force"
I am using the winlogbeat
but it seems that the issue on all rules since the fields mapping differs between the rules and the winlogbeat index

the rule EQL syntax is

sequence by winlog.computer_name, source.ip with maxspan=10s
  [authentication where host.os.type == "windows" and event.action == "logon-failed" and
    winlog.logon.type : "Network" and
    source.ip != null and source.ip != "" and source.ip != "::1" and user.name : "*admin*" and

    /* noisy failure status codes often associated to authentication misconfiguration */
    not winlog.event_data.Status : ("0xC000015B", "0XC000005E", "0XC0000133", "0XC0000192")] with runs=5

Hi @hasan.idriss,

Most of the times I have come across this it is due to a mapping issue.
The detection rules (security application in general) needs the correct ECS mappings,
when you look at stack management --> dataviews --> winlogbeat-*
are there any mapping conflicts? You can find them with the type dropdown and selecting conflict.

After this, continue checking the index mappings on the different data views and indices.

1 Like

My rule is active and functional, however, I use the Elastic Agent with the System and Windows integrations. What might be happening is that this rule needs some fields mapped to the Elastic Agent integrations. I ran into a similar problem on a detection rule that needed packetbeat.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.