Hi,
I have enabled elastic security and activated the rules. I am using auditbeat to collect audit data and send it to logstash which then indexes it in elasticsearch. I am not performing any mutation on the logs via logstash, and using default mapping.
However some of the rules are failing during execution with the reason "first argument of {rule} must be [ip], found value [destination.ip] type [text]".
The rule definition mentions index patterns auditbeat-* and logs-endpoint.events.*. I am only using auditbeat-*.
Attaching screenshot of the error.
Attaching error message.
An error occurred during rule execution: message: "verification_exception: [verification_exception] Reason: Found 1 problem line 4:5: first argument of [cidrmatch(destination.ip, "10.0.0.0/8", "127.0.0.0/8", "169.254.0.0/16", "172.16.0.0/12", "192.0.0.0/24", "192.0.0.0/29", "192.0.0.8/32", "192.0.0.9/32", "192.0.0.10/32", "192.0.0.170/32", "192.0.0.171/32", "192.0.2.0/24", "192.31.196.0/24", "192.52.193.0/24", "192.168.0.0/16", "192.88.99.0/24", "224.0.0.0/4", "100.64.0.0/10", "192.175.48.0/24", "198.18.0.0/15", "198.51.100.0/24", "203.0.113.0/24", "240.0.0.0/4", "::1", "FE80::/10", "FF00::/8")] must be [ip], found value [destination.ip] type [text]" name: "Connection to Internal Network via Telnet" id: "9f53abc6-2ce0-11ec-bf2a-a326ef99e497" rule id: "1b21abcc-4d9f-4b08-a7f5-316f5f94b973" signals index: ".siem-signals-default"
Any help would be appreciated.
Thanks.