I tried to set up a rule called “Excessive Firewall or ACL Denies from Single Source IP,” but it failed with the following error:
failed to parse field [_index] of type [_index] in document with id ...
Here are the details of the rule configuration:
- Index Patterns: logs-* and
- Custom Query:
(event.action : "deny" or event.action : "block" or event.action : "drop") and @timestamp >= now-5m - Group By: source.ip and _index
- Threshold: >= 600
The goal of this rule is to detect cases where a single source IP is excessively denied within 5 minutes, as this could indicate brute force or reconnaissance activities.
However, I need to use _index as a Group By condition, so removing it is not an option. Has anyone encountered a similar issue or know how to resolve this error? Could it be related to index structure or some specific configuration?
