Geo-Containment Issues

wwalker · May 4, 2023, 9:00pm

I've been trying to get a geo-containment rule to work, but it just wont alert. Anybody able to identify where I'm going wrong? I can't get it to trigger either of the actions. Running Elastic Stack 8.7.1.

Here's the configuration:

I get the following error in Kibana.log.

{
	"service": {
		"node": {
			"roles": [
				"background_tasks",
				"ui"
			]
		}
	},
	"ecs": {
		"version": "8.6.0"
	},
	"@timestamp": "2023-05-04T15:59:42.412-05:00",
	"message": "illegal_argument_exception\n\tRoot causes:\n\t\tillegal_argument_exception: [filters] cannot be empty.",
	"log": {
		"level": "WARN",
		"logger": "plugins.alerting.geo-containment"
	},
	"process": {
		"pid": 2560
	},
	"trace": {
		"id": "b038e9bdc2e2d4860e4074ff2948f1d0"
	},
	"transaction": {
		"id": "fbd00ebf2bc653a6"
	}
}

ying.mao · May 8, 2023, 12:12pm

Hi @wwalker,

Could you provide the exact rule configuration? You can grab that using the API. This will provide more details into the exact rule parameters that were saved for this rule. Thanks!

wwalker · May 8, 2023, 4:12pm

{
    "id":  "dca811e0-c3c1-11ed-bc80-534b04d034fe",
    "consumer":  "alerts",
    "tags":  [

             ],
    "name":  "VPN Login Outside Boundaries",
    "throttle":  null,
    "enabled":  true,
    "running":  false,
    "schedule":  {
                     "interval":  "30s"
                 },
    "params":  {
                   "index":  "fortigate*",
                   "entity":  "client.wan_ip",
                   "dateField":  "@timestamp",
                   "boundaryType":  "entireIndex",
                   "geoField":  "client.coordinates",
                   "boundaryIndexTitle":  "forti_geo",
                   "boundaryGeoField":  "location",
                   "boundaryNameField":  "name",
                   "boundaryIndexQuery":  {
                                              "query":  "name: \"Illinois_Missouri\"",
                                              "language":  "kuery"
                                          },
                   "indexQuery":  {
                                      "query":  "log.id: \"39424\" ",
                                      "language":  "kuery"
                                  },
                   "indexId":  "7b100daa-4973-5627-a677-834d1dcabf66",
                   "boundaryIndexId":  "forti_geo"
               },
    "rule_type_id":  ".geo-containment",
    "created_by":  "::redacted::",
    "updated_by":  "::redacted::",
    "created_at":  "2023-03-16T06:14:51.980Z",
    "updated_at":  "2023-05-04T20:37:08.604Z",
    "api_key_owner":  "::redacted::",
    "notify_when":  null,
    "muted_alert_ids":  [

                        ],
    "mute_all":  false,
    "scheduled_task_id":  "dca811e0-c3c1-11ed-bc80-534b04d034fe",
    "execution_status":  {
                             "status":  "ok",
                             "last_execution_date":  "2023-05-08T16:09:25.100Z",
                             "last_duration":  93
                         },
    "actions":  [
                    {
                        "group":  "Tracked entity contained",
                        "id":  "2864ea00-c3c1-11ed-bc80-534b04d034fe",
                        "params":  "@{message=Alert Action Group: {{alert.actionGroup}}\nAlert Action Group Name: {{alert.actionGroupName}}\nAlert Action Subgroup: {{alert.actionSubgroup}}\nAlert ID: {{alert.id}}\nContext Containing Boundary ID: {{context.containingBoundaryId}}\nContext Containing Boundary Name: {{context.containingBoundaryName}}\nContext Dectection Date/Time: {{context.detectionDateTime}}\nContext Entity Document ID: {{context.entityDocumentId}}\nContext Entity ID: {{context.entityId}}\nContext Entity Location: {{context.entityLocation}}\nDate: {{date}}\nKibana Base URL: {{kibanaBaseUrl}}\nRule ID: {{rule.id}}\nRule Name: {{rule.name}}\nSpace ID: {{rule.spaceId}}\nRule Tags: {{rule.tags}}\nRule Type: {{rule.type}}\n; to=System.Object[]; subject=Login Outside Geo-Boundary}",
                        "connector_type_id":  ".email",
                        "frequency":  "@{summary=False; notify_when=onActiveAlert; throttle=}"
                    },
                    {
                        "group":  "Tracked entity contained",
                        "id":  "c0ca1050-c820-11ed-b819-f1adcb85088e",
                        "params":  "@{documents=System.Object[]}",
                        "connector_type_id":  ".index",
                        "frequency":  "@{summary=False; notify_when=onActiveAlert; throttle=}"
                    }
                ],
    "last_run":  {
                     "alerts_count":  {
                                          "new":  0,
                                          "ignored":  0,
                                          "recovered":  0,
                                          "active":  0
                                      },
                     "outcome_msg":  null,
                     "outcome_order":  0,
                     "outcome":  "succeeded",
                     "warning":  null
                 },
    "next_run":  "2023-05-08T16:09:55.039Z"
}

Nathan_Reese · May 8, 2023, 6:25pm

Hi @ wwalker

It looks like the error is occurring because your Boundary filter "name: Illinois_Missouri" on "forti_geo" data view does not match any documents. Can you verify that this filter returns documents? You can test this in discover by viewing the "forti_geo" data view and adding the filter. Do any documents get returned?

wwalker · May 8, 2023, 7:42pm

Here's the JSON for that event:

{
  "_index": "forti_geo",
  "_id": "CIoF6YYBZJqsYrt0JFJr",
  "_version": 1,
  "_score": 0,
  "_source": {
    "name": "Illinois_Missouri",
    "location": {
      "type": "polygon",
      "coordinates": [
        [
          [
            -90.6411,
            42.5084
          ],
          [
            -88.77688,
            42.49207
          ],
          [
            -88.65873,
            42.49439
          ],
          [
            -88.19969,
            42.49495
          ],
          [
            -87.02003,
            42.49349
          ],
          [
            -87.20791,
            41.76082
          ],
          [
            -87.52345,
            41.76028
          ],
          [
            -87.53139,
            39.34767
          ],
          [
            -87.54324,
            39.35314
          ],
          [
            -87.55372,
            39.34019
          ],
          [
            -87.57741,
            39.3403
          ],
          [
            -87.58871,
            39.33377
          ],
          [
            -87.60015,
            39.31312
          ],
          [
            -87.59715,
            39.29658
          ],
          [
            -87.60982,
            39.28225
          ],
          [
            -87.60527,
            39.26142
          ],
          [
            -87.59368,
            39.24733
          ],
          [
            -87.58367,
            39.24364
          ],
          [
            -87.57458,
            39.21846
          ],
          [
            -87.60595,
            39.18516
          ],
          [
            -87.64005,
            39.16684
          ],
          [
            -87.48272,
            38.70261
          ],
          [
            -88.05473,
            37.81248
          ],
          [
            -88.14313,
            37.59442
          ],
          [
            -88.08073,
            37.49547
          ],
          [
            -88.47074,
            37.40465
          ],
          [
            -88.50714,
            37.27649
          ],
          [
            -88.40834,
            37.09006
          ],
          [
            -88.9778,
            37.21035
          ],
          [
            -89.2038,
            37.03015
          ],
          [
            -89.10864,
            36.75427
          ],
          [
            -89.73907,
            36.03617
          ],
          [
            -90.39329,
            36.00731
          ],
          [
            -90.07213,
            36.31462
          ],
          [
            -90.20297,
            36.49652
          ],
          [
            -94.62787,
            36.48695
          ],
          [
            -94.60695,
            39.11363
          ],
          [
            -94.58643,
            39.14568
          ],
          [
            -94.60908,
            39.16097
          ],
          [
            -94.64879,
            39.15312
          ],
          [
            -94.66133,
            39.16119
          ],
          [
            -94.65973,
            39.17792
          ],
          [
            -94.68451,
            39.18391
          ],
          [
            -94.72556,
            39.16821
          ],
          [
            -94.74741,
            39.1711
          ],
          [
            -94.76767,
            39.18433
          ],
          [
            -94.78526,
            39.20808
          ],
          [
            -94.82283,
            39.20932
          ],
          [
            -94.83483,
            39.22295
          ],
          [
            -94.82534,
            39.24546
          ],
          [
            -94.84177,
            39.26667
          ],
          [
            -94.88402,
            39.28362
          ],
          [
            -94.90318,
            39.30542
          ],
          [
            -94.90815,
            39.32338
          ],
          [
            -94.90973,
            39.35381
          ],
          [
            -94.90133,
            39.3616
          ],
          [
            -94.88497,
            39.36695
          ],
          [
            -94.87899,
            39.37506
          ],
          [
            -94.88133,
            39.38521
          ],
          [
            -94.89044,
            39.39293
          ],
          [
            -94.90077,
            39.39307
          ],
          [
            -94.91303,
            39.38792
          ],
          [
            -94.92582,
            39.38427
          ],
          [
            -94.94351,
            39.38968
          ],
          [
            -94.94736,
            39.40064
          ],
          [
            -94.94999,
            39.41147
          ],
          [
            -94.97259,
            39.42094
          ],
          [
            -94.98567,
            39.4452
          ],
          [
            -95.02099,
            39.45381
          ],
          [
            -95.04186,
            39.4668
          ],
          [
            -95.04944,
            39.48254
          ],
          [
            -95.05229,
            39.50284
          ],
          [
            -95.08595,
            39.51857
          ],
          [
            -95.10515,
            39.53466
          ],
          [
            -95.11321,
            39.55294
          ],
          [
            -95.11054,
            39.56722
          ],
          [
            -95.10319,
            39.57782
          ],
          [
            -95.09489,
            39.58038
          ],
          [
            -95.08612,
            39.58056
          ],
          [
            -95.0719,
            39.57618
          ],
          [
            -95.05838,
            39.57947
          ],
          [
            -95.04724,
            39.59317
          ],
          [
            -95.04772,
            39.60814
          ],
          [
            -95.0553,
            39.62038
          ],
          [
            -95.05104,
            39.637
          ],
          [
            -95.02923,
            39.66383
          ],
          [
            -95.01785,
            39.6735
          ],
          [
            -94.99912,
            39.67696
          ],
          [
            -94.97802,
            39.68025
          ],
          [
            -94.96901,
            39.69083
          ],
          [
            -94.97091,
            39.73186
          ],
          [
            -94.95952,
            39.74445
          ],
          [
            -94.946,
            39.74582
          ],
          [
            -94.9169,
            39.72816
          ],
          [
            -94.89368,
            39.72404
          ],
          [
            -94.8651,
            39.7364
          ],
          [
            -94.85693,
            39.75622
          ],
          [
            -94.86382,
            39.76878
          ],
          [
            -94.8748,
            39.77623
          ],
          [
            -94.87123,
            39.77261
          ],
          [
            -94.88316,
            39.76995
          ],
          [
            -94.90636,
            39.75838
          ],
          [
            -94.92184,
            39.76336
          ],
          [
            -94.93604,
            39.77493
          ],
          [
            -94.93477,
            39.78336
          ],
          [
            -94.93041,
            39.78822
          ],
          [
            -94.92282,
            39.78973
          ],
          [
            -94.89202,
            39.79114
          ],
          [
            -94.88119,
            39.79687
          ],
          [
            -94.87598,
            39.80789
          ],
          [
            -94.8795,
            39.82895
          ],
          [
            -94.88878,
            39.83414
          ],
          [
            -94.91269,
            39.83446
          ],
          [
            -94.93196,
            39.84494
          ],
          [
            -94.94124,
            39.85304
          ],
          [
            -94.94181,
            39.86459
          ],
          [
            -94.92732,
            39.8784
          ],
          [
            -94.93056,
            39.89114
          ],
          [
            -94.94898,
            39.9001
          ],
          [
            -94.96248,
            39.90161
          ],
          [
            -94.98864,
            39.89632
          ],
          [
            -95.00932,
            39.90117
          ],
          [
            -95.02366,
            39.8933
          ],
          [
            -95.02817,
            39.86988
          ],
          [
            -95.0435,
            39.86351
          ],
          [
            -95.08808,
            39.86232
          ],
          [
            -95.10974,
            39.87117
          ],
          [
            -95.13309,
            39.87538
          ],
          [
            -95.14462,
            39.88909
          ],
          [
            -95.14293,
            39.90258
          ],
          [
            -95.15911,
            39.90722
          ],
          [
            -95.18035,
            39.89945
          ],
          [
            -95.20369,
            39.90484
          ],
          [
            -95.20721,
            39.91757
          ],
          [
            -95.19905,
            39.92858
          ],
          [
            -95.20749,
            39.9413
          ],
          [
            -95.22873,
            39.94367
          ],
          [
            -95.24633,
            39.94616
          ],
          [
            -95.25885,
            39.955
          ],
          [
            -95.27474,
            39.97333
          ],
          [
            -95.30048,
            39.98313
          ],
          [
            -95.30765,
            39.98971
          ],
          [
            -95.31187,
            40.01029
          ],
          [
            -95.33629,
            40.01868
          ],
          [
            -95.34991,
            40.0306
          ],
          [
            -95.36394,
            40.03102
          ],
          [
            -95.38826,
            40.02581
          ],
          [
            -95.40729,
            40.03219
          ],
          [
            -95.41869,
            40.04496
          ],
          [
            -95.42119,
            40.06315
          ],
          [
            -95.40799,
            40.07729
          ],
          [
            -95.41049,
            40.0943
          ],
          [
            -95.39354,
            40.1096
          ],
          [
            -95.39482,
            40.12387
          ],
          [
            -95.40761,
            40.1294
          ],
          [
            -95.42484,
            40.13152
          ],
          [
            -95.43289,
            40.14066
          ],
          [
            -95.43665,
            40.16052
          ],
          [
            -95.46221,
            40.16954
          ],
          [
            -95.48208,
            40.18971
          ],
          [
            -95.48153,
            40.20436
          ],
          [
            -95.47013,
            40.21921
          ],
          [
            -95.47233,
            40.2374
          ],
          [
            -95.48553,
            40.2479
          ],
          [
            -95.50832,
            40.24928
          ],
          [
            -95.52305,
            40.24949
          ],
          [
            -95.53889,
            40.25649
          ],
          [
            -95.55348,
            40.26201
          ],
          [
            -95.55778,
            40.27006
          ],
          [
            -95.5507,
            40.28544
          ],
          [
            -95.55688,
            40.29515
          ],
          [
            -95.57147,
            40.29971
          ],
          [
            -95.58689,
            40.30088
          ],
          [
            -95.60384,
            40.31253
          ],
          [
            -95.61913,
            40.3137
          ],
          [
            -95.64664,
            40.30533
          ],
          [
            -95.65817,
            40.31147
          ],
          [
            -95.65651,
            40.32111
          ],
          [
            -95.64511,
            40.3263
          ],
          [
            -95.63038,
            40.33054
          ],
          [
            -95.62246,
            40.33912
          ],
          [
            -95.62692,
            40.35416
          ],
          [
            -95.64234,
            40.36654
          ],
          [
            -95.64415,
            40.39036
          ],
          [
            -95.66165,
            40.41406
          ],
          [
            -95.65512,
            40.43511
          ],
          [
            -95.66457,
            40.45044
          ],
          [
            -95.68013,
            40.46165
          ],
          [
            -95.69278,
            40.46873
          ],
          [
            -95.69736,
            40.47666
          ],
          [
            -95.69407,
            40.49739
          ],
          [
            -95.71491,
            40.52813
          ],
          [
            -95.72811,
            40.5276
          ],
          [
            -95.73825,
            40.52401
          ],
          [
            -95.76284,
            40.52776
          ],
          [
            -95.77029,
            40.53561
          ],
          [
            -95.76284,
            40.55091
          ],
          [
            -95.77435,
            40.57534
          ],
          [
            -95.76792,
            40.58498
          ],
          [
            -91.73002,
            40.61421
          ],
          [
            -91.4396,
            40.35939
          ],
          [
            -91.34843,
            40.45195
          ],
          [
            -91.38895,
            40.57516
          ],
          [
            -91.06481,
            40.7135
          ],
          [
            -90.93314,
            41.08101
          ],
          [
            -91.0952,
            41.25639
          ],
          [
            -90.98378,
            41.43129
          ],
          [
            -90.40642,
            41.52236
          ],
          [
            -90.27474,
            41.74947
          ],
          [
            -90.10254,
            42.036
          ],
          [
            -90.3659,
            42.26129
          ],
          [
            -90.48745,
            42.426
          ],
          [
            -90.56186,
            42.42975
          ],
          [
            -90.6411,
            42.5084
          ]
        ]
      ]
    }
  },
  "fields": {
    "name": [
      "Illinois_Missouri"
    ],
    "location": [
      {
        "coordinates": [
          [
            [
              -90.6411,
              42.5084
            ],
            [
              -88.77688,
              42.49207
            ],
            [
              -88.65873,
              42.49439
            ],
            [
              -88.19969,
              42.49495
            ],
            [
              -87.02003,
              42.49349
            ],
            [
              -87.20791,
              41.76082
            ],
            [
              -87.52345,
              41.76028
            ],
            [
              -87.53139,
              39.34767
            ],
            [
              -87.54324,
              39.35314
            ],
            [
              -87.55372,
              39.34019
            ],
            [
              -87.57741,
              39.3403
            ],
            [
              -87.58871,
              39.33377
            ],
            [
              -87.60015,
              39.31312
            ],
            [
              -87.59715,
              39.29658
            ],
            [
              -87.60982,
              39.28225
            ],
            [
              -87.60527,
              39.26142
            ],
            [
              -87.59368,
              39.24733
            ],
            [
              -87.58367,
              39.24364
            ],
            [
              -87.57458,
              39.21846
            ],
            [
              -87.60595,
              39.18516
            ],
            [
              -87.64005,
              39.16684
            ],
            [
              -87.48272,
              38.70261
            ],
            [
              -88.05473,
              37.81248
            ],
            [
              -88.14313,
              37.59442
            ],
            [
              -88.08073,
              37.49547
            ],
            [
              -88.47074,
              37.40465
            ],
            [
              -88.50714,
              37.27649
            ],
            [
              -88.40834,
              37.09006
            ],
            [
              -88.9778,
              37.21035
            ],
            [
              -89.2038,
              37.03015
            ],
            [
              -89.10864,
              36.75427
            ],
            [
              -89.73907,
              36.03617
            ],
            [
              -90.39329,
              36.00731
            ],
            [
              -90.07213,
              36.31462
            ],
            [
              -90.20297,
              36.49652
            ],
            [
              -94.62787,
              36.48695
            ],
            [
              -94.60695,
              39.11363
            ],
            [
              -94.58643,
              39.14568
            ],
            [
              -94.60908,
              39.16097
            ],
            [
              -94.64879,
              39.15312
            ],
            [
              -94.66133,
              39.16119
            ],
            [
              -94.65973,
              39.17792
            ],
            [
              -94.68451,
              39.18391
            ],
            [
              -94.72556,
              39.16821
            ],
            [
              -94.74741,
              39.1711
            ],
            [
              -94.76767,
              39.18433
            ],
            [
              -94.78526,
              39.20808
            ],
            [
              -94.82283,
              39.20932
            ],
            [
              -94.83483,
              39.22295
            ],
            [
              -94.82534,
              39.24546
            ],
            [
              -94.84177,
              39.26667
            ],
            [
              -94.88402,
              39.28362
            ],
            [
              -94.90318,
              39.30542
            ],
            [
              -94.90815,
              39.32338
            ],
            [
              -94.90973,
              39.35381
            ],
            [
              -94.90133,
              39.3616
            ],
            [
              -94.88497,
              39.36695
            ],
            [
              -94.87899,
              39.37506
            ],
            [
              -94.88133,
              39.38521
            ],
            [
              -94.89044,
              39.39293
            ],
            [
              -94.90077,
              39.39307
            ],
            [
              -94.91303,
              39.38792
            ],
            [
              -94.92582,
              39.38427
            ],
            [
              -94.94351,
              39.38968
            ],
            [
              -94.94736,
              39.40064
            ],
            [
              -94.94999,
              39.41147
            ],
            [
              -94.97259,
              39.42094
            ],
            [
              -94.98567,
              39.4452
            ],
            [
              -95.02099,
              39.45381
            ],
            [
              -95.04186,
              39.4668
            ],
            [
              -95.04944,
              39.48254
            ],
            [
              -95.05229,
              39.50284
            ],
            [
              -95.08595,
              39.51857
            ],
            [
              -95.10515,
              39.53466
            ],
            [
              -95.11321,
              39.55294
            ],
            [
              -95.11054,
              39.56722
            ],
            [
              -95.10319,
              39.57782
            ],
            [
              -95.09489,
              39.58038
            ],
            [
              -95.08612,
              39.58056
            ],
            [
              -95.0719,
              39.57618
            ],
            [
              -95.05838,
              39.57947
            ],
            [
              -95.04724,
              39.59317
            ],
            [
              -95.04772,
              39.60814
            ],
            [
              -95.0553,
              39.62038
            ],
            [
              -95.05104,
              39.637
            ],
            [
              -95.02923,
              39.66383
            ],
            [
              -95.01785,
              39.6735
            ],
            [
              -94.99912,
              39.67696
            ],
            [
              -94.97802,
              39.68025
            ],
            [
              -94.96901,
              39.69083
            ],
            [
              -94.97091,
              39.73186
            ],
            [
              -94.95952,
              39.74445
            ],
            [
              -94.946,
              39.74582
            ],
            [
              -94.9169,
              39.72816
            ],
            [
              -94.89368,
              39.72404
            ],
            [
              -94.8651,
              39.7364
            ],
            [
              -94.85693,
              39.75622
            ],
            [
              -94.86382,
              39.76878
            ],
            [
              -94.8748,
              39.77623
            ],
            [
              -94.87123,
              39.77261
            ],
            [
              -94.88316,
              39.76995
            ],
            [
              -94.90636,
              39.75838
            ],
            [
              -94.92184,
              39.76336
            ],
            [
              -94.93604,
              39.77493
            ],
            [
              -94.93477,
              39.78336
            ],
            [
              -94.93041,
              39.78822
            ],
            [
              -94.92282,
              39.78973
            ],
            [
              -94.89202,
              39.79114
            ],
            [
              -94.88119,
              39.79687
            ],
            [
              -94.87598,
              39.80789
            ],
            [
              -94.8795,
              39.82895
            ],
            [
              -94.88878,
              39.83414
            ],
            [
              -94.91269,
              39.83446
            ],
            [
              -94.93196,
              39.84494
            ],
            [
              -94.94124,
              39.85304
            ],
            [
              -94.94181,
              39.86459
            ],
            [
              -94.92732,
              39.8784
            ],
            [
              -94.93056,
              39.89114
            ],
            [
              -94.94898,
              39.9001
            ],
            [
              -94.96248,
              39.90161
            ],
            [
              -94.98864,
              39.89632
            ],
            [
              -95.00932,
              39.90117
            ],
            [
              -95.02366,
              39.8933
            ],
            [
              -95.02817,
              39.86988
            ],
            [
              -95.0435,
              39.86351
            ],
            [
              -95.08808,
              39.86232
            ],
            [
              -95.10974,
              39.87117
            ],
            [
              -95.13309,
              39.87538
            ],
            [
              -95.14462,
              39.88909
            ],
            [
              -95.14293,
              39.90258
            ],
            [
              -95.15911,
              39.90722
            ],
            [
              -95.18035,
              39.89945
            ],
            [
              -95.20369,
              39.90484
            ],
            [
              -95.20721,
              39.91757
            ],
            [
              -95.19905,
              39.92858
            ],
            [
              -95.20749,
              39.9413
            ],
            [
              -95.22873,
              39.94367
            ],
            [
              -95.24633,
              39.94616
            ],
            [
              -95.25885,
              39.955
            ],
            [
              -95.27474,
              39.97333
            ],
            [
              -95.30048,
              39.98313
            ],
            [
              -95.30765,
              39.98971
            ],
            [
              -95.31187,
              40.01029
            ],
            [
              -95.33629,
              40.01868
            ],
            [
              -95.34991,
              40.0306
            ],
            [
              -95.36394,
              40.03102
            ],
            [
              -95.38826,
              40.02581
            ],
            [
              -95.40729,
              40.03219
            ],
            [
              -95.41869,
              40.04496
            ],
            [
              -95.42119,
              40.06315
            ],
            [
              -95.40799,
              40.07729
            ],
            [
              -95.41049,
              40.0943
            ],
            [
              -95.39354,
              40.1096
            ],
            [
              -95.39482,
              40.12387
            ],
            [
              -95.40761,
              40.1294
            ],
            [
              -95.42484,
              40.13152
            ],
            [
              -95.43289,
              40.14066
            ],
            [
              -95.43665,
              40.16052
            ],
            [
              -95.46221,
              40.16954
            ],
            [
              -95.48208,
              40.18971
            ],
            [
              -95.48153,
              40.20436
            ],
            [
              -95.47013,
              40.21921
            ],
            [
              -95.47233,
              40.2374
            ],
            [
              -95.48553,
              40.2479
            ],
            [
              -95.50832,
              40.24928
            ],
            [
              -95.52305,
              40.24949
            ],
            [
              -95.53889,
              40.25649
            ],
            [
              -95.55348,
              40.26201
            ],
            [
              -95.55778,
              40.27006
            ],
            [
              -95.5507,
              40.28544
            ],
            [
              -95.55688,
              40.29515
            ],
            [
              -95.57147,
              40.29971
            ],
            [
              -95.58689,
              40.30088
            ],
            [
              -95.60384,
              40.31253
            ],
            [
              -95.61913,
              40.3137
            ],
            [
              -95.64664,
              40.30533
            ],
            [
              -95.65817,
              40.31147
            ],
            [
              -95.65651,
              40.32111
            ],
            [
              -95.64511,
              40.3263
            ],
            [
              -95.63038,
              40.33054
            ],
            [
              -95.62246,
              40.33912
            ],
            [
              -95.62692,
              40.35416
            ],
            [
              -95.64234,
              40.36654
            ],
            [
              -95.64415,
              40.39036
            ],
            [
              -95.66165,
              40.41406
            ],
            [
              -95.65512,
              40.43511
            ],
            [
              -95.66457,
              40.45044
            ],
            [
              -95.68013,
              40.46165
            ],
            [
              -95.69278,
              40.46873
            ],
            [
              -95.69736,
              40.47666
            ],
            [
              -95.69407,
              40.49739
            ],
            [
              -95.71491,
              40.52813
            ],
            [
              -95.72811,
              40.5276
            ],
            [
              -95.73825,
              40.52401
            ],
            [
              -95.76284,
              40.52776
            ],
            [
              -95.77029,
              40.53561
            ],
            [
              -95.76284,
              40.55091
            ],
            [
              -95.77435,
              40.57534
            ],
            [
              -95.76792,
              40.58498
            ],
            [
              -91.73002,
              40.61421
            ],
            [
              -91.4396,
              40.35939
            ],
            [
              -91.34843,
              40.45195
            ],
            [
              -91.38895,
              40.57516
            ],
            [
              -91.06481,
              40.7135
            ],
            [
              -90.93314,
              41.08101
            ],
            [
              -91.0952,
              41.25639
            ],
            [
              -90.98378,
              41.43129
            ],
            [
              -90.40642,
              41.52236
            ],
            [
              -90.27474,
              41.74947
            ],
            [
              -90.10254,
              42.036
            ],
            [
              -90.3659,
              42.26129
            ],
            [
              -90.48745,
              42.426
            ],
            [
              -90.56186,
              42.42975
            ],
            [
              -90.6411,
              42.5084
            ]
          ]
        ],
        "type": "Polygon"
      }
    ]
  }
}

Nathan_Reese · May 8, 2023, 8:06pm

Thanks for showing that the filter returns a document.

Somehow, the alert is not able to find this document. Did the document get populated after the rule was created? The features list is cached to avoid having to search for features every-time the rule runs. Can you try recreating the alert again? Can you also try creating an alert without the filter?

Nathan_Reese · May 8, 2023, 8:41pm

I have opened the following issues that you can track

github.com/elastic/kibana

[maps][geo-containment rule] illegal_argument_exception error logged when no boundaries are found

opened 08:33PM - 08 May 23 UTC

nreese

bug Team:Presentation impact:high Feature:Maps

https://discuss.elastic.co/t/geo-containment-issues/332598 There is not logic… in geo-containment rule to ensure boundaries exist prior to fetching containment, https://github.com/elastic/kibana/blob/main/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/geo_containment.ts#L140. This yields cryptic error messages like the one below instead of something more user friendly. ``` [2023-05-08T14:30:54.324-06:00][WARN ][plugins.alerting.geo-containment] illegal_argument_exception Root causes: illegal_argument_exception: [filters] cannot be empty. ```

github.com/elastic/kibana

[maps][geo-containment rule] boundaries are not re-fetched when query changes

opened 08:30PM - 08 May 23 UTC

nreese

bug Team:Presentation impact:high Feature:Maps

geo-containment rule caches boundaries to avoid looking them up each time the ru…le is executed. However, there is no logic to refetch boundaries when data view, field name, or query changes. https://github.com/elastic/kibana/blob/main/x-pack/plugins/stack_alerts/server/rule_types/geo_containment/geo_containment.ts#L150 ``` const { shapesFilters, shapesIdsNamesMap } = state.shapesFilters ? state : await getShapesFilters( params.boundaryIndexTitle, params.boundaryGeoField, params.geoField, services.scopedClusterClient.asCurrentUser, logger, ruleId, params.boundaryNameField, params.boundaryIndexQuery ); ``` Work around - users have to delete the rule and re-create a new rule to apply to change any boundary query state.

wwalker · May 8, 2023, 8:53pm

Recreating the rule and specifying the filters up front resolved the problem. That's not a great experience, I would have expected an error in the GUI and prevention of creating the rule or a re-caching of whatever is cached when the rule is edited.

wwalker · May 8, 2023, 8:59pm

@Nathan_Reese, Follow-up "issue". Is it possible to use Index as the action and have the event that triggered the alert written to another index? Or will I have to do something wonky like use the alert to index the event id, then run a pipeline that does an elasticsearch query for those events to pull the message field in?

Nathan_Reese · May 8, 2023, 9:42pm

Recreating the rule and specifying the filters up front resolved the problem. That's not a great experience, I would have expected an error in the GUI and prevention of creating the rule or a re-caching of whatever is cached when the rule is edited.

agreed. This issue will be resolved by 157066

Is it possible to use Index as the action and have the event that triggered the alert written to another index?

Have you tried using the index action?

wwalker · May 8, 2023, 10:29pm

I have, but I don't see a variable for the message field and what's in the documentation examples, {{context.message}} does not work.

Nathan_Reese · May 9, 2023, 12:08pm

geo-containtment alert exposes the following fields. You can view these in product by clicking "Add variable" button at the top right of the "message" input.

{
  "entityId": "{{context.entityId}}",
  "entityDateTime": "{{context.entityDateTime}}",
  "entityDocumentId": "{{context.entityDocumentId}}",
  "detectionDateTime": "{{context.detectionDateTime}}",
  "entityLocation": "{{context.entityLocation}}",
  "containingBoundaryId": "{{context.containingBoundaryId}}",
  "containingBoundaryName": "{{context.containingBoundaryName}}"
}

wwalker · May 9, 2023, 2:27pm

Ya, I saw all those options. Guess I have to do some crazy Logstash pipeline. Appreciate the help.

Nathan_Reese · May 9, 2023, 2:43pm

What information is missing from context? Can you describe your use case?

wwalker · May 9, 2023, 2:51pm

It doesn't look like any of those context options contain all the fields from the original event. Our desired use case is to have this containment rule write the full event off to another index. This enables two functions. One, have a threshold rule that alerts and sends an email and two, having an index to build dashboards/reporting off of without all the bloat of the other events from the original logs.

system · June 6, 2023, 2:51pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.