Hi there,
I am facing the same issue as Rules failing due to field mapping errors, except that I am using Winlogbeat. (instead of Auditbeat)
I am also not using Logstash or any log transformation tools, and I am using the latest Elasticsearch, Kibana, and Winlogbeat versions (v8.1.2).
The error message is: An error occurred during rule execution: message: "verification_exception: [verification_exception] Reason: Found 1 problem line 4:8: first argument of [cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] must be [ip], found value [destination.ip] type [text]" name: "Unusual Network Connection via DllHost" id: "e7ab0a0c-b614-11ec-a5b7-adfb0ac547ad" rule id: "c7894234-7814-44c2-92a9-f7d851ea246a" execution id: "cf64291c-0cb4-4993-852d-011887f4e9c6" space ID: "default"
An example of such a rule failing is Unusual Network Connection via DllHost
.
Under Data views
for winlogbeat-*
, I see that my destination.ip
field has the text
type.
Thank you for your time & help in advance.