/An error occurred during rule execution: message: "verification_exception
Root causes:
verification_exception: Found 1 problem
line 3:3: Unknown column [winlog.event_data.AttributeLDAPDisplayName], did you mean [winlog.event_data.AttributeValue]?"
I am unsure on how to correct this. Any ideas?
Thanks
Hey @ETFJeff, apologies for the delay in responding. The warning message indicates that no events containing this field have been ingested yet. Since most fields under winlog.event_data.* are dynamically parsed, the field will only appear in the mapping once a document with that field is ingested.
This field is associated with Active Directory monitoring. I would evaluate if it is relevant to your environment. If it is, you can find setup instructions for enabling the necessary audit policies on your domain controllers in the Setup section. If it's not relevant, you may want to consider disabling the rule.
Issues related to detection rules can be brought more directly to the responsible team attention by opening an issue in our github repo: Issues · elastic/detection-rules · GitHub
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.