Hi,
I am trying to use the pre-built alerts in Security > Rules but the alert " Remote Computer Account DnsHostName Update" doesn't work.
Here's the execution log of the rule "Remote Computer Account DnsHostName Update" :
An error occurred during rule execution: message: "verification_exception: [verification_exception] Reason: Found 1 problem line 11:5: Unknown column [winlog.event_data.DnsHostName], did you mean any of [winlog.event_data.HostName, winlog.event_data.DisplayName, winlog.event_data.AccountName, winlog.event_data.ClientName, winlog.event_data.DCName, winlog.event_data.DeviceName, winlog.event_data.DomainName, winlog.event_data.DriveName, winlog.event_data.DriverName, winlog.event_data.HiveName, winlog.event_data.ObjectName, winlog.event_data.ProcessName, winlog.event_data.SessionName, winlog.event_data.TargetName, winlog.event_data.AdapterName, winlog.event_data.FailureName, winlog.event_data.KeyName, winlog.event_data.MemberName, winlog.event_data.PackageName, winlog.event_data.ServiceName, winlog.event_data.ShareName, winlog.event_data.NewProcessName, winlog.event_data.SamAccountName, winlog.event_data.AlgorithmName, winlog.event_data.LogonProcessName, winlog.event_data.ProviderName, winlog.event_data.BootMode, winlog.event_data.BootType, winlog.event_data.Detail, winlog.event_data.DeviceTime, winlog.event_data.DwordVal, winlog.event_data.HomePath, winlog.event_data.Resource, winlog.event_data.SidHistory, winlog.event_data.StartTime, winlog.event_data.State, winlog.event_data.StopTime, winlog.event_data.TargetUserName, winlog.event_data.ParentProcessName, winlog.event_data.LmPackageName, winlog.event_data.LastBootGood, winlog.event_data.PreviousTime, winlog.event_data.AuditSourceName, winlog.event_data.SubjectUserName, winlog.event_data.WorkstationName, winlog.event_data.AccessMask, winlog.event_data.Company, winlog.event_data.Description, winlog.event_data.DirtyPages, winlog.event_data.Dummy, winlog.event_data.ErrorCode, winlog.event_data.IpPort, winlog.event_data.LogonType, winlog.event_data.NewTime, winlog.event_data.ObjectType, winlog.event_data.OldTime, winlog.event_data.ProcessPath, winlog.event_data.ScriptPath, winlog.event_data.Signature, winlog.event_data.SleepTime, winlog.event_data.StartType, winlog.event_data.TargetState, winlog.event_data.TdoType, winlog.event_data.WakeTime, winlog.event_data.errorCode, winlog.event_data.param1, winlog.event_data.param2, winlog.event_data.param3, winlog.event_data.param4, winlog.event_data.param5, winlog.event_data.param6, winlog.event_data.param7, winlog.event_data.param8, winlog.event_data.param9, winlog.event_data.MandatoryLabel, winlog.event_data.CallerProcessName, winlog.event_data.AccessGranted, winlog.event_data.DnsServerList, winlog.event_data.WakeFromState, winlog.event_data.OriginalFileName, winlog.event_data.TargetDomainName, winlog.event_data.AccessReason, winlog.event_data.CreationUtcTime, winlog.event_data.ErrorMessage, winlog.event_data.PasswordLastSet, winlog.event_data.ServiceFileName, winlog.event_data.SupportInfo1, winlog.event_data.SupportInfo2, winlog.event_data.NewTargetUserName, winlog.event_data.OldTargetUserName, winlog.event_data.SubjectDomainName, winlog.event_data.UserPrincipalName, winlog.event_data.IntegrityLevel, winlog.event_data.UserParameters, winlog.event_data.AccessList, winlog.event_data.Binary, winlog.event_data.CommandLine, winlog.event_data.CurrentBias, winlog.event_data.DomainSid, winlog.event_data.EntryCount, winlog.event_data.FinalStatus, winlog.event_data.Flags, winlog.event_data.Group, winlog.event_data.HandleId, winlog.event_data.Identity, winlog.event_data.ImagePath, winlog.event_data.KeyFilePath, winlog.event_data.KeyType, winlog.event_data.KeysUpdated, winlog.event_data.LogonGuid, winlog.event_data.LogonHours, winlog.event_data.LogonID, winlog.event_data.LogonId, winlog.event_data.NewUacValue, winlog.event_data.Number, winlog.event_data.OldUacValue, winlog.event_data.Operation, winlog.event_data.Path, winlog.event_data.PreAuthType, winlog.event_data.ProcessID, winlog.event_data.ProcessId, winlog.event_data.ProcessPid, winlog.event_data.Product, winlog.event_data.ProfilePath, winlog.event_data.PuaCount, winlog.event_data.PuaPolicyId, winlog.event_data.Reason, winlog.event_data.ReturnCode, winlog.event_data.Schema, winlog.event_data.Service, winlog.event_data.ServiceType, winlog.event_data.Status, winlog.event_data.SubStatus, winlog.event_data.TargetInfo, winlog.event_data.TargetSid, winlog.event_data.TimeSource, winlog.event_data.Type, winlog.event_data.UserSid, winlog.event_data.Version, winlog.event_data.Workstation, winlog.event_data.param10, winlog.event_data.param11, winlog.event_data.updateTitle, winlog.event_data.DeviceNameLength, winlog.event_data.DriverNameLength, winlog.event_data.TargetServerName, winlog.event_data.AccessRemoved, winlog.event_data.AccountDomain, winlog.event_data.EventSourceId, winlog.event_data.RelativeTargetName, winlog.event_data.TransitionsToOn, winlog.event_data.FirstRefresh, winlog.event_data.MinorVersion, winlog.event_data.NewProcessId, winlog.event_data.ObjectServer, winlog.event_data.TimeProvider, winlog.event_data.AdapterSuffixName, winlog.event_data.FailureNameLength, winlog.event_data.AccountExpires, winlog.event_data.EffectiveState, winlog.event_data.HiveNameLength, winlog.event_data.ProcessingMode, winlog.event_data.ShareLocalPath, winlog.event_data.ShutdownReason, winlog.event_data.WakeSourceType, winlog.event_data.Attributes, winlog.event_data.Category, winlog.event_data.CategoryId, winlog.event_data.ExitReason, winlog.event_data.ExtraInfo, winlog.event_data.FileVersion, winlog.event_data.IpAddress, winlog.event_data.Ipaddress, winlog.event_data.KeyLength, winlog.event_data.MemberSid, winlog.event_data.NewSd, winlog.event_data.NewSdDacl0, winlog.event_data.NewSdDacl1, winlog.event_data.NewSdDacl2, winlog.event_data.NewSdSacl0, winlog.event_data.NewSdSacl1, winlog.event_data.NewSdSacl2, winlog.event_data.NewUACList, winlog.event_data.OldSd, winlog.event_data.OldSdDacl0, winlog.event_data.OldSdDacl1, winlog.event_data.OldSdDacl2, winlog.event_data.OldSdSacl0, winlog.event_data.OldSdSacl1, winlog.event_data.OldSdSacl2, winlog.event_data.QfeVersion, winlog.event_data.ServiceSid, winlog.event_data.Signed, winlog.event_data.SubCategory, winlog.event_data.TSId, winlog.event_data.serviceGuid, winlog.event_data.updateGuid, winlog.event_data.BiosInitDuration, winlog.event_data.UserWorkstations, winlog.event_data.ClientAddress, winlog.event_data.ElevatedToken, winlog.event_data.FailureReason, winlog.event_data.ReadOperation, winlog.event_data.SleepDuration, winlog.event_data.TargetUserSid, winlog.event_data.TdoAttributes, winlog.event_data.TicketOptions, winlog.event_data.ClientCreationTime, winlog.event_data.SchemaFriendlyName, winlog.event_data.ClientProcessId, winlog.event_data.GroupTypeChange, winlog.event_data.MixedDomainMode, winlog.event_data.SignatureStatus, winlog.event_data.BuildVersion, winlog.event_data.CurrentTimeZoneID, winlog.event_data.MajorVersion, winlog.event_data.Sent UpdateServer, winlog.event_data.ShutdownEventCode, winlog.event_data.TargetOutboundUserName, winlog.event_data.TdoDirection, winlog.event_data.WakeDuration, winlog.event_data.DomainPolicyChanged, winlog.event_data.ProcessCreationTime, winlog.event_data.RestrictedAdminMode, winlog.event_data.TransmittedServices, winlog.event_data.IdleStateCount, winlog.event_data.OemInformation, winlog.event_data.SubjectLogonId, winlog.event_data.SubjectUserSid, winlog.event_data.PasswordHistoryLength, winlog.event_data.LastShutdownGood, winlog.event_data.ServiceStartType, winlog.user_data.xml_name, winlog.event_data.AuditPolicyChanges, winlog.event_data.CheckpointDuration, winlog.event_data.DeviceVersionMajor, winlog.event_data.DeviceVersionMinor, winlog.event_data.DriverInitDuration, winlog.event_data.ImpersonationLevel, winlog.event_data.ResourceAttributes, winlog.event_data.ShutdownActionType, winlog.event_data.TokenElevationType, winlog.event_data.HomeDirectory, winlog.event_data.NewSchemeGuid, winlog.event_data.OldSchemeGuid, winlog.event_data.PrivilegeList, winlog.event_data.SchemaVersion, winlog.event_data.SubCategoryId, winlog.event_data.SubcategoryId, winlog.event_data.TargetLogonId, winlog.event_data.KerberosPolicyChange, winlog.event_data.updateRevisionNumber, winlog.event_data.CallerProcessId, winlog.event_data.ScriptBlockText, winlog.event_data.SubCategoryGuid, winlog.event_data.SubcategoryGuid, winlog.event_data.TargetLogonGuid, winlog.event_data.BitlockerUserInputTime, winlog.event_data.HiberPagesWritten, winlog.event_data.StatusDescription, winlog.event_data.TargetOutboundDomainName, winlog.event_data.TerminalSessionId, winlog.event_data.AllowedToDelegateTo, winlog.event_data.MachineAccountQuota, winlog.event_data.SidFilteringEnabled, winlog.event_data.WakeRequesterTypeAc, winlog.event_data.WakeRequesterTypeDc, winlog.event_data.CorruptionActionState, winlog.event_data.CrashOnAuditFailValue, winlog.event_data.PrimaryGroupId, winlog.event_data.ServiceAccount, winlog.event_data.ServiceVersion, winlog.event_data.VirtualAccount, winlog.user_data.SubjectUserName, winlog.event_data.PreviousCreationUtcTime, winlog.event_data.NominalFrequency, winlog.event_data.AuthenticationPackageName, winlog.event_data.HiberWriteDuration, winlog.event_data.IdleImplementation, winlog.event_data.UserAccountControl, winlog.event_data.ProgrammedWakeTimeAc, winlog.event_data.ProgrammedWakeTimeDc, winlog.event_data.TicketEncryptionType, winlog.event_data.MinimumThrottlePercent, winlog.event_data.HiberReadDuration, winlog.event_data.AccessListDescription, winlog.event_data.DomainBehaviorVersion, winlog.user_data.SubjectDomainName, winlog.event_data.WakeSourceTextLength, winlog.event_data.WakeTimerContextLength, winlog.event_data.TimeZoneInfoCacheUpdated, winlog.user_data.BackupPath, winlog.event_data.TargetLinkedLogonId, winlog.event_data.AccessMaskDescription, winlog.event_data.CountOfCredentialsReturned, winlog.event_data.NoMultiStageResumeReason, winlog.event_data.TicketOptionsDescription, winlog.event_data.WakeTimerOwnerLength]?" name: "Remote Computer Account DnsHostName Update" id: "89a0875e-2486-11ed-9438-973842af5781" rule id: "6bed021a-0afb-461c-acbe-ffdb9574d3f3" execution id: "69f02df9-ac1f-4c94-b915-968d10462d26" space ID: "default"
No really need to read, it just says that the field winlog.event_data.DnsHostName doesn't exist. I verified and in the winlogbeat documentation, this field doesn't exist, in the available fields in Discover either. As it is an Elastic rule, I can't modify it.
How can I do to use it ?
The only way is to create a new rule, copy and paste the EQL query of the original pre-built and modify the name of the field ?
I am having the same problem with the rule "User Account Creation" with the field process.parent.name.
Thanks !
PS : Running on ELK 8.3 with Elastic Agent 8.3