Rule Failure - Rule Mapping Error

Hi there,

I am facing the same issue as Rules failing due to field mapping errors, except that I am using Winlogbeat. (instead of Auditbeat)

I am also not using Logstash or any log transformation tools, and I am using the latest Elasticsearch, Kibana, and Winlogbeat versions (v8.1.2).

The error message is: An error occurred during rule execution: message: "verification_exception: [verification_exception] Reason: Found 1 problem line 4:8: first argument of [cidrmatch(destination.ip, "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "::1", "FE80::/10", "FF00::/8")] must be [ip], found value [destination.ip] type [text]" name: "Unusual Network Connection via DllHost" id: "e7ab0a0c-b614-11ec-a5b7-adfb0ac547ad" rule id: "c7894234-7814-44c2-92a9-f7d851ea246a" execution id: "cf64291c-0cb4-4993-852d-011887f4e9c6" space ID: "default"

An example of such a rule failing is Unusual Network Connection via DllHost.

Under Data views for winlogbeat-*, I see that my destination.ip field has the text type.

Thank you for your time & help in advance.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.