Elastic rule throwing error when checking for preview

I have built a rule in Elastic following my search keywords in Discover. However the rule throws error while checking for preview and never fires. I think logic is solid, indexing is solid as well. But not sure what is causing this. Following is the error I see. I need to get to the root cause of this and need help to troubleshoot this.

@siemdude Can you provide the rule definition for your rule? Are you saying that the rule runs successfully but only the preview functionality throws this error?

No. I meant that it doesn't run. And while trying to understand the issue, I found this error in preview. Following is the rule definition.

Index patterns: mssp-* dfir-*
Custom query: eventDesc :"New Suspicious threat detected" or eventDesc :"New active threat"
Rule type: Query
Timeline template: Comprehensive Process Timeline

Thanks @siemdude. Are the mssp-* and dfir-* indices ECS compliant?

I am not sure if this is ecs compliant. We're are receiving logs from a logstash.

Source -> logstash->elasticsearch.

I want to add that, I've found a field 'Host' coming as a static value across multiple records just like the warning in Preview says. I have confirmed this by checking the actual records.

I think these are not ECS compliant. Any suggestions?

I believe security detection rules must run on ECS compliant data. If your data is not ECS compliant, you might try an ES Query rule to define a custom query.

I am in version 8.3. I don't see an option for ES query like previous versions. Which specific rule type I should select for ES query?

The ES query rule is not a security rule. You can find it in Stack Management > Rules and Connectors if you create a rule from that page.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.