Hi,
I have the following rule failure:
/An error occurred during rule execution: message: "verification_exception
Root causes:
verification_exception: Found 1 problem
line 3:3: Unknown column [winlog.event_data.AttributeLDAPDisplayName], did you mean [winlog.event_data.AttributeValue]?"
I am unsure on how to correct this. Any ideas?
Thanks
Hi @ETFJeff , welcome to out community.
Have you verified Field Names in the Index Pattern?
winlogbeat-* if you’re using Winlogbeat).winlog.event_data.AttributeLDAPDisplayName actually exists.Hi,
Thanks. Glad to be working in Elastic but also I am very new so I have to admit I am quite challenged.
I think Index Patterns is not called Data Views?
I looking in Data Views and the field `winlog.event_data.AttributeLDAPDisplayName does not exist there.```
``
What are my options to correct this? Should I try to remove the field from the query or add the field to the data view?
Sorry I am very new to elastic so not familiar with best ways to correct issues like this.
Thanks
Jeff
Hey @ETFJeff, apologies for the delay in responding. The warning message indicates that no events containing this field have been ingested yet. Since most fields under winlog.event_data.* are dynamically parsed, the field will only appear in the mapping once a document with that field is ingested.
This field is associated with Active Directory monitoring. I would evaluate if it is relevant to your environment. If it is, you can find setup instructions for enabling the necessary audit policies on your domain controllers in the Setup section. If it's not relevant, you may want to consider disabling the rule.
Issues related to detection rules can be brought more directly to the responsible team attention by opening an issue in our github repo: Issues · elastic/detection-rules · GitHub
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.