Elastic Security Rule exception

Billz1026 · March 22, 2022, 6:42am

Hi,

I have been using elastic security as a SIEM for my organization for some time. Due to insufficient space, I had deleted one index. Thereafter I saw failures of the detection rules which was not the case before.
Below is one failure message.

The error is as follows.

An error occurred during rule execution: message: "verification_exception: [verification_exception] Reason: Found 5 problems line 2:4: Cannot use field [event.category] due to ambiguities being mapped as [2] incompatible types: [text] in [winlogbeat-7.12.0], [keyword] in [.ds-logs-endpoint.events.file-default-2022.02.03-000001, .ds-logs-endpoint.events.file-default-2022.03.08-000002, .ds-logs-endpoint.events.library-default-2022.02.03-000001, .ds-logs-endpoint.events.library-default-2022.03.08-000002, .ds-logs-endpoint.events.network-default-2022.02.03-000001, .ds-logs-endpoint.events.network-default-2022.03.08-000002, .ds-logs-endpoint.events.process-default-2022.02.03-000001, .ds-logs-endpoint.events.process-default-2022.03.08-000002, .ds-logs-endpoint.events.registry-default-2022.02.03-000001, .ds-logs-endpoint.events.registry-default-2022.03.08-000002, .ds-logs-endpoint.events.security-default-2022.02.03-000001, .ds-logs-endpoint.events.security-default-2022.03.08-000002, .ds-logs-windows.forwarded-default-2022.02.21-000001, .ds-logs-windows.powershell-default-2022.02.03-000001, .ds-logs-windows.powershell-default-2022.03.08-000002, .ds-logs-windows.powershell_operational-default-2022.02.03-000001, .ds-logs-windows.powershell_operational-default-2022.03.08-000002, .ds-logs-windows.sysmon_operational-default-2022.02.03-000001, .ds-logs-windows.sysmon_operational-default-2022.03.08-000002] line 2:15: Cannot use field [event.type] due to ambiguities being mapped as [2] incompatible types: [text] in [winlogbeat-7.12.0], [keyword] in [.ds-logs-endpoint.events.file-default-2022.02.03-000001, .ds-logs-endpoint.events.file-default-2022.03.08-000002, .ds-logs-endpoint.events.library-default-2022.02.03-000001, .ds-logs-endpoint.events.library-default-2022.03.08-000002, .ds-logs-endpoint.events.network-default-2022.02.03-000001, .ds-logs-endpoint.events.network-default-2022.03.08-000002, .ds-logs-endpoint.events.process-default-2022.02.03-000001, .ds-logs-endpoint.events.process-default-2022.03.08-000002, .ds-logs-endpoint.events.registry-default-2022.02.03-000001, .ds-logs-endpoint.events.registry-default-2022.03.08-000002, .ds-logs-endpoint.events.security-default-2022.02.03-000001, .ds-logs-endpoint.events.security-default-2022.03.08-000002, .ds-logs-windows.forwarded-default-2022.02.21-000001, .ds-logs-windows.powershell-default-2022.02.03-000001, .ds-logs-windows.powershell-default-2022.03.08-000002, .ds-logs-windows.powershell_operational-default-2022.02.03-000001, .ds-logs-windows.powershell_operational-default-2022.03.08-000002, .ds-logs-windows.sysmon_operational-default-2022.02.03-000001, .ds-logs-windows.sysmon_operational-default-2022.03.08-000002] line 2:44: Cannot use field [file.extension] due to ambiguities being mapped as [2] incompatible types: [text] in [winlogbeat-7.12.0], [keyword] in [.ds-logs-endpoint.events.file-default-2022.02.03-000001, .ds-logs-endpoint.events.file-default-2022.03.08-000002, .ds-logs-windows.forwarded-default-2022.02.21-000001, .ds-logs-windows.powershell-default-2022.02.03-000001, .ds-logs-windows.powershell-default-2022.03.08-000002, .ds-logs-windows.powershell_operational-default-2022.02.03-000001, .ds-logs-windows.powershell_operational-default-2022.03.08-000002, .ds-logs-windows.sysmon_operational-default-2022.02.03-000001, .ds-logs-windows.sysmon_operational-default-2022.03.08-000002] line 3:7: Cannot use field [process.name] due to ambiguities being mapped as [2] incompatible types: [text] in [winlogbeat-7.12.0], [keyword] in [.ds-logs-endpoint.events.file-default-2022.02.03-000001, .ds-logs-endpoint.events.file-default-2022.03.08-000002, .ds-logs-endpoint.events.library-default-2022.02.03-000001, .ds-logs-endpoint.events.library-default-2022.03.08-000002, .ds-logs-endpoint.events.network-default-2022.02.03-000001, .ds-logs-endpoint.events.network-default-2022.03.08-000002, .ds-logs-endpoint.events.process-default-2022.02.03-000001, .ds-logs-endpoint.events.process-default-2022.03.08-000002, .ds-logs-endpoint.events.registry-default-2022.02.03-000001, .ds-logs-endpoint.events.registry-default-2022.03.08-000002, .ds-logs-endpoint.events.security-default-2022.02.03-000001, .ds-logs-endpoint.events.security-default-2022.03.08-000002, .ds-logs-windows.forwarded-default-2022.02.21-000001, .ds-logs-windows.powershell-default-2022.02.03-000001, .ds-logs-windows.powershell-default-2022.03.08-000002, .ds-logs-windows.powershell_operational-default-2022.02.03-000001, .ds-logs-windows.powershell_operational-default-2022.03.08-000002, .ds-logs-windows.sysmon_operational-default-2022.02.03-000001, .ds-logs-windows.sysmon_operational-default-2022.03.08-000002] line 7:11: Cannot use field [file.name] due to ambiguities being mapped as [2] incompatible types: [text] in [winlogbeat-7.12.0], [keyword] in [.ds-logs-endpoint.events.file-default-2022.02.03-000001, .ds-logs-endpoint.events.file-default-2022.03.08-000002, .ds-logs-endpoint.events.library-default-2022.02.03-000001, .ds-logs-endpoint.events.library-default-2022.03.08-000002, .ds-logs-windows.forwarded-default-2022.02.21-000001, .ds-logs-windows.powershell-default-2022.02.03-000001, .ds-logs-windows.powershell-default-2022.03.08-000002, .ds-logs-windows.powershell_operational-default-2022.02.03-000001, .ds-logs-windows.powershell_operational-default-2022.03.08-000002, .ds-logs-windows.sysmon_operational-default-2022.02.03-000001, .ds-logs-windows.sysmon_operational-default-2022.03.08-000002]" name: "Execution of File Written or Modified by PDF Reader" id: "6a7fd802-2746-11ec-ad7a-d9be8782438c" rule id: "1defdd62-cd8d-426e-a246-81a37751bb2b" signals index: ".siem-signals-default"```

From the error I can see, the detection is failing due to two different types of event.category field in different indexes. When I checked the index patterns, I could verify two different types of the event.category field. But I couldn't edit the type of the filed.

Hence I would really appreciate if someone can give a hint to resolve this.

BR,
Billz

Mike_Paquette · March 22, 2022, 12:20pm

Hi @Billz1026, thanks for the post.

The error message tells us that there are mapping problems with your winlogbeat-7.12.0 index/indices.

The message reports that event.category, event.type, file.extension, process.name, and file.name are being indexed as data type text, which is not compatible with the required ECS-defined data type of keyword.

One hypothesis is that when you deleted one index, you somehow removed /altered the index mapping template(s) for the winlogbeat-7.12.0 index, and now new events being written to that index are no longer compliant with ECS.

If this hypothesis turns out to be true, you will need to update the index mapping templates for your winlogbeat-7.12.0 index pattern, and then as new data is correctly indexed, the rule failures should stop.

Additionally, you may choose to go back and correct the improperly mapped events via some kind of re-index operation.

Could you share your index mappings for your winlogbeat-7.12.0 index pattern so we can see if this is the problem? (Stack Management -> Index Management -> select winlogbeat-7.12.0 then select Mappings)

system · April 19, 2022, 12:20pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Verification_exception Error during Rule Execution Elastic Security	4	2654	August 13, 2021
Syntax error shown in EQL queries for correlation Elastic Security	1	424	March 10, 2022
Rules failing SIEM	3	475	January 15, 2024
Elastic prebuilt rules error Elastic Security	3	1053	July 17, 2023
Security rule exception not working Elastic Security	5	1235	February 18, 2022

Elastic Security Rule exception

Related topics