Error in detection rule: Remote Computer Account DnsHostName Update

GKre · May 3, 2025, 8:45am

I have an issue with a detection rule. Seems like there's a type mismatch in tables. Is this something i could fix myself or should this be handled by dev?

{
  "@timestamp": [
    "2025-05-03T08:36:23.495Z"
  ],
  "ecs.version": [
    "1.8.0"
  ],
  "event.action": [
    "status-change"
  ],
  "event.kind": [
    "event"
  ],
  "event.provider": [
    "securitySolution.ruleExecution"
  ],
  "event.sequence": [
    2
  ],
  "event.severity": [
    40
  ],
  "kibana.alert.rule.execution.status": [
    "failed"
  ],
  "kibana.alert.rule.execution.status_order": [
    30
  ],
  "kibana.alert.rule.execution.uuid": [
    "ca46331b-2f49-410a-82c7-cdaca71c11b3"
  ],
  "kibana.alert.rule.revision": [
    103
  ],
  "kibana.saved_objects": [
    {
      "rel": [
        "primary"
      ],
      "id": [
        "541b2b40-caed-11ed-9d31-81c7b0c1937c"
      ],
      "type": [
        "alert"
      ]
    }
  ],
  "kibana.server_uuid": [
    "7bd6d26c-186b-4bf5-8a93-8be24fecb77e"
  ],
  "kibana.space_ids": [
    "default"
  ],
  "kibana.version": [
    "8.18.0"
  ],
  "log.level": [
    "error"
  ],
  "message": [
    "verification_exception\n\tRoot causes:\n\t\tverification_exception: Found 1 problem\nline 6:42: Cannot use field [source.ip] due to ambiguities being mapped as [2] incompatible types: [keyword] in [.ds-logs-system.security-default-2025.03.16-000049], [ip] in [.ds-logs-system.auth-default-2025.02.14-000047, .ds-logs-system.auth-default-2025.03.16-000049, .ds-logs-system.auth-default-2025.04.15-000050, .ds-logs-system.security-default-2025.02.14-000048, .ds-logs-system.security-default-2025.04.15-000050]"
  ],
  "rule.category": [
    "siem.eqlRule"
  ],
  "rule.id": [
    "541b2b40-caed-11ed-9d31-81c7b0c1937c"
  ],
  "rule.name": [
    "Remote Computer Account DnsHostName Update"
  ],
  "rule.uuid": [
    "6bed021a-0afb-461c-acbe-ffdb9574d3f3"
  ],
  "_id": "XoVKlZYBVbwnv2qIGVPX",
  "_index": ".ds-.kibana-event-log-ds-2025.04.30-000134",
  "_score": null
}

leandrojmp · May 3, 2025, 2:07pm

This is a mapping conflict, the problema is that it is happening with an Elastic Agent integration.

Can you confirm which is the version of the System integration that you are using now?

This issue was introduces on this PR, for the integration System (1.67.0) and Windows (2.5.0)

It broke the ECS mappings for some indices, which breaks alerts, visualizations, dashboards etc, so it was reverted on this PR, the fixed versions of the integrations are 1.67.3 for the System integration and 2.5.2 for the Windows integration.

It seems that you are already using the fixed integrations, but to fix this issue is more complicated.

The easiest way to fix this would be by either removing the backing indice with the wrong mapping, or reindexing it and then removing it.

Can you remove this or do you need to still keep the backing indice?

GKre · May 3, 2025, 2:18pm

Hello Leandro,

first of all - i am not an expert and this is a test / demo environment.
So "loss of data" would not be a problem.

System Intergration is on 1.68.2 Windows Integration is not installed.

Could you give me a hint on how to fix this issue?

leandrojmp · May 3, 2025, 2:36pm

Since data loss is not a problem, removing the conflicting index should fix the issue.

Just go into Kibana > Dev Tools and run this request:

DELETE .ds-logs-system.security-default-2025.03.16-000049

This will delete the backing indice .ds-logs-system.security-default-2025.03.16-000049 for the data stream logs-system.security-default, the data will be removed from the cluster and the conflict will stop as all other backing indices have the correct mapping.

GKre · May 3, 2025, 2:43pm

Thank you. Guess the

will than be recreated on need?

leandrojmp · May 3, 2025, 2:48pm

A new backing indice already exists.

Data Stream writes data into backing indices that are created according to an Index Lifecycle Policy, you seem to be using the default one, so a new backing indice will be create every 30 days given or taken or when it reaches 50 GB of size.

Currently the data stream logs-system.security-defaul in your cluster seems to have these backing indices:

.ds-logs-system.security-default-2025.02.14-000048
.ds-logs-system.security-default-2025.03.16-000049
.ds-logs-system.security-default-2025.04.15-000050

The most recent one is .ds-logs-system.security-default-2025.04.15-000050, so this is where the recent data is being written, on May 15th the data stream will rolover and a new backing indice will be created, you do not need to do anything.

GKre · May 3, 2025, 3:44pm

thank you Leandro,

DELETE .ds-logs-system.security-default-2025.03.16-000049
{
  "acknowledged": true
}

I will keep an eye on this now.

GKre · May 3, 2025, 4:24pm

Maybe a side effect but the "[Elastic Security] Detection rule monitoring" - Dashboard know can not be opened.
I i try to select it in the menu the empty dashboard is shown and i can nearly catch an error in the lower right corner. Than the system is going back to the logon screen and constantly looping the same way.
If i go into the gui via the regular login screen i can login.

leandrojmp · May 3, 2025, 7:12pm

No, this is unrelated.

It may be another different issue.

Topic		Replies	Views
Detection Custom Rule not working SIEM elastic-stack-alerting , detection-rules	8	1396	May 27, 2021
Failing to get Detection Alerts SIEM detection-rules	2	532	February 24, 2022
Failed to close Detection alert SIEM	3	861	December 28, 2020
Error with Security Rules Elastic Security elastic-stack-alerting	9	2053	June 20, 2022
Security Detection exception MATCHES not working properly Elastic Security detection-rules	3	359	April 23, 2024

Error in detection rule: Remote Computer Account DnsHostName Update

Related topics