Matching rule with indicator match error parsing date field

I create a index that contain all domain that i want to query to according to ecs.
Now i create a rule that will match any domain query from dns index but it give me this errror:

An error occurred during rule execution: message: "search_phase_execution_exception: [parse_exception] Reason: failed to parse date field [9223372036854776000] with format [strict_date_optional_time||epoch_millis]: [failed to parse date field [9223372036854776000] with format [strict_date_optional_time||epoch_millis]]" name: "Generic malware domain rule" id: "d4be8a40-147c-11ec-99e8-d50418e566bd" rule id: "a316899b-e2a6-4b38-8d48-4a8f12c3ad14" signals index: ".siem-signals-default"

I really dont understand how and why there is a parse error in the date field.
Please help

Thanks for your time.

What does the mapping in your new index look like for the date field? It is trying to parse the 9223372036854776000 as a date in epoch_millis and it isn't a valid date. Have a look here for a bit of information on mapping dates.

I though that new index does not need date field, since that filed will be like a place to store domain that i want to query so why the need for date field.
and if i have to have a date field. What field should i have.

The rules engine was meant to run on time series data and uses the @timestamp field as default. There is the ability to change that default to another field under advanced rule settings. When you set the schedule, you are effectively saying, run this rule every X minutes\seconds\etc and look back Y amount of time. The rule uses the @timestamp field to do this. Hopefully this makes sense and I am understanding what you are attempting to do.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.