Indicator Match Rule Failing from Rule Name


I created an indicator match rule using intel from the Recorded Future integration package v1.0.1.

The match rule appears to be failing from the rule name itself. Here is the error output:

Rule failure at
Jul 8, 2022 @ 16:15:12.597
Bulk Indexing of signals failed: object mapping for [service] tried to parse field [service] as object, but found a concrete value name: "IP detections from Recorded Future" id: "95977990-fe4a-11ec-a2d8-071a4b73939e" rule id: "02cebb09-1b4d-4469-b34d-8b477d34f64a" execution id: "4e5dd34b-3880-432e-bd34-e7e19797b531" space ID: "default"

And here is a screenshot of the rule logic. I don't see how a misconfiguration on my part could cause an error like this, so creating this post as it seems to be an issue with indicator match rules:

Hi @codewriterguy

Based on the error, it seems like your mapping for the [service] field on this index should be a text or keyword type instead of an object. That should fix the issue and allow the rule to run successfully

Thanks @dplumlee

Can you clarify which index to remap the [service] field? This appears to be an index created by the built-in rule editor when I selected "Indicator Match Rule" as the rule type and populated the settings for the rule.

Oh you're totally right, I had forgotten [service] is an ECS field. If the data going into that field isn't ECS compatible (in this case being read as a string instead of that designated object), it won't work. The source data index (the one the rule is querying) needs to have the service field defined as that object so you either need to change it or remove it. Sorry for the confusion on my part, does that make sense?

Thank you @dplumlee. To clarify, my source data in demo_ip index needs a service field with ECS mapping?

What's strange is that the value it is finding in that field is coming from the Alert Rule name I created in the Kibana rule creation wizard.

Do you mean I should remap the service field in the index with the alert rule itself? What index would I remap?

Yeah, the demo_ip index is what the rule is querying for alerts so it needs to be remapped to have a service field that is ECS compliant (ie that object I linked earlier)

1 Like

@dplumlee you are correct, the index was mapping a service field from my GROK pattern that was text and not an ECS object. I renamed the field and reindexed the data with the new mapping, and the indicator match rule is now working!

I did not realize that there could be conflicts with ECS fields this way - I will look out for this in the future.

For anyone reading this thread, the error was because my data had a service field that was not the object described by ECS, it was a text field that I grokked from my data.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.