Indicator Match Rule Failing from Rule Name

codewriterguy · July 8, 2022, 10:24pm

Hi,

I created an indicator match rule using intel from the Recorded Future integration package v1.0.1.

The match rule appears to be failing from the rule name itself. Here is the error output:

Rule failure at
Jul 8, 2022 @ 16:15:12.597
Bulk Indexing of signals failed: object mapping for [service] tried to parse field [service] as object, but found a concrete value name: "IP detections from Recorded Future" id: "95977990-fe4a-11ec-a2d8-071a4b73939e" rule id: "02cebb09-1b4d-4469-b34d-8b477d34f64a" execution id: "4e5dd34b-3880-432e-bd34-e7e19797b531" space ID: "default"

And here is a screenshot of the rule logic. I don't see how a misconfiguration on my part could cause an error like this, so creating this post as it seems to be an issue with indicator match rules:

dplumlee · July 11, 2022, 4:24pm

Hi @codewriterguy

Based on the error, it seems like your mapping for the [service] field on this index should be a text or keyword type instead of an object. That should fix the issue and allow the rule to run successfully

codewriterguy · July 11, 2022, 9:11pm

Thanks @dplumlee

Can you clarify which index to remap the [service] field? This appears to be an index created by the built-in rule editor when I selected "Indicator Match Rule" as the rule type and populated the settings for the rule.

dplumlee · July 11, 2022, 9:28pm

Oh you're totally right, I had forgotten [service] is an ECS field. If the data going into that field isn't ECS compatible (in this case being read as a string instead of that designated object), it won't work. The source data index (the one the rule is querying) needs to have the service field defined as that object so you either need to change it or remove it. Sorry for the confusion on my part, does that make sense?

codewriterguy · July 12, 2022, 9:48pm

Thank you @dplumlee. To clarify, my source data in demo_ip index needs a service field with ECS mapping?

What's strange is that the value it is finding in that field is coming from the Alert Rule name I created in the Kibana rule creation wizard.

Do you mean I should remap the service field in the index with the alert rule itself? What index would I remap?

dplumlee · July 13, 2022, 7:08pm

Yeah, the demo_ip index is what the rule is querying for alerts so it needs to be remapped to have a service field that is ECS compliant (ie that object I linked earlier)

codewriterguy · July 13, 2022, 10:43pm

@dplumlee you are correct, the index was mapping a service field from my GROK pattern that was text and not an ECS object. I renamed the field and reindexed the data with the new mapping, and the indicator match rule is now working!

I did not realize that there could be conflicts with ECS fields this way - I will look out for this in the future.

For anyone reading this thread, the error was because my data had a service field that was not the object described by ECS, it was a text field that I grokked from my data.

system · August 10, 2022, 10:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.