Problem with detection [rules]

I have successfully transferred logs from winlog to logstash on prem to elastic/kibana cloud. I have created index pattern and discovered data. In order to test if everything works fine I went have created a new user on the machine where winlog is install. I can see this event in elastic as follow:

message:A user account was created. Subject: Security ID: S-1-5-21-3252654080-322283946-1054805376-1113 Account Name: maint_bjelen Account Domain: LAB01 Logon ID: 0x23732 New Account: Security ID: S-1-5-21-1541298375-2807357869-827505638-1005 Account Name: tryme Account Domain: LOGSTASH-CLOUD Attributes: SAM Account Name: tryme Display Name: <value not set> User Principal Name: - Home Directory: <value not set> Home Drive: <value not set> Script Path: <value not set> Profile Path: <value not set> User Workstations: <value not set> Password Last Set: <never> Account Expires: <never> Primary Group ID: 513 Allowed To Delegate To: - Old UAC Value: 0x0 New UAC Value: 0x15 User Account Control: Account Disabled 'Password Not Required' - Enabled 'Normal Account' - Enabled User Parameters: <value not set> SID History: - Logon Hours: All Additional Information: Privileges -

The problem starts when I want to set Security detection. I have turned on default Rules and I am trying to use "User Account Creation." I have enabled the rule, but nothing gets detected. I am also getting following warning

The following indices are missing the timestamp override field "event.ingested": ["winlogbeat-7.13.0"] 

I am also getting this error

{
  "message": "status_exception",
  "statusCode": 400,
  "attributes": {
    "type": "status_exception",
    "reason": "error while executing search",
    "caused_by": {
      "type": "search_phase_execution_exception",
      "reason": "all shards failed",
      "phase": "query",
      "grouped": true,
      "failed_shards": [
        {
          "shard": 0,
          "index": "winlogbeat-7.13.0",
          "node": "oArFASb5Qzit5aB33VdcsQ",
          "reason": {
            "type": "illegal_argument_exception",
            "reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [host.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."
          }
        }
      ],
      "caused_by": {
        "type": "illegal_argument_exception",
        "reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [host.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory.",
        "caused_by": {
          "type": "illegal_argument_exception",
          "reason": "Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [host.name] in order to load field data by uninverting the inverted index. Note that this can use significant memory."
        }
      }
    }
  }
}

Can you please advise ?

Hi @farciarz121,

Can you export the failing rule along with the output of the below script by executing the following in Kibana Dev Tools?

GET winlogbeat-*/_mapping/field/event.ingested

The event.ingested field should be populated in winlogbeat so I'm wondering if there is something maybe overriding the winlogbeat mapping template?

Hi Davin, I was able to solve this problem. It was a problem related with setup. I forgot to setup default dashboards and mappings with "setup -e".

Thank you for your response.

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.