Rule Failure - Rule Mapping Error

Hi there,

I am facing the same issue as Rules failing due to field mapping errors, except that I am using Winlogbeat. (instead of Auditbeat)

I am also not using Logstash or any log transformation tools, and I am using the latest Elasticsearch, Kibana, and Winlogbeat versions (v8.1.2).

The error message is: An error occurred during rule execution: message: "verification_exception: [verification_exception] Reason: Found 1 problem line 4:8: first argument of [cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] must be [ip], found value [destination.ip] type [text]" name: "Unusual Network Connection via DllHost" id: "e7ab0a0c-b614-11ec-a5b7-adfb0ac547ad" rule id: "c7894234-7814-44c2-92a9-f7d851ea246a" execution id: "cf64291c-0cb4-4993-852d-011887f4e9c6" space ID: "default"

An example of such a rule failing is Unusual Network Connection via DllHost.

Under Data views for winlogbeat-*, I see that my destination.ip field has the text type.

Thank you for your time & help in advance.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.