Rules failing due to field mapping errors


I have enabled elastic security and activated the rules. I am using auditbeat to collect audit data and send it to logstash which then indexes it in Elasticsearch. I am not performing any mutation on the logs via logstash, and using default mapping.

However some of the rules are failing during execution with the reason "first argument of {rule} must be [ip], found value [destination.ip] type [text]".

The rule definition mentions index patterns auditbeat-* and*. I am only using auditbeat-*.

Attaching screenshot of the error.

Attaching error message.

An error occurred during rule execution: message: "verification_exception: [verification_exception] Reason: Found 1 problem line 4:5: first argument of [cidrmatch(destination.ip, "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "", "::1", "FE80::/10", "FF00::/8")] must be [ip], found value [destination.ip] type [text]" name: "Connection to Internal Network via Telnet" id: "9f53abc6-2ce0-11ec-bf2a-a326ef99e497" rule id: "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" signals index: ".siem-signals-default"

Any help would be appreciated.

I am not able to figure this out.

Any help would be appreciated.


This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.