Security Solution Plugins & @timestamp

teej · December 2, 2020, 12:36am

Good Day,
Just updated to 7.10 and while examining the kibana logs I find:

{"type":"log","@timestamp":"2020-11-25T20:37:07Z","tags":["error","plugins","securitySolution","plugins","securitySolution"],"pid":22460,"message":"Bulk Indexing of signals failed: reason: "No mapping found for [@timestamp] in order to sort on" type: "query_shard_exception" name: "Virtual Machine Fingerprinting" id: "cd23d3ba-a8a3-4b1d-9fd0-8946e06b9690" rule id: "5b03c9fb-9945-4d2f-9568-fd690fee3fba" signals index: ".siem-signals-default""}

It appears to being caused by a plugin? Is that a SIEM thing perhaps?

Frank_Hassanabad · December 3, 2020, 1:31am

That is from the SIEM solutions plugin detection engine. You have a rule enabled called, "Virtual Machine Fingerprinting" which is using a source index to search for detections. That source index does not have a @timestamp to search against and therefore is giving you errors.

You can go to the detections page and disable the rule if you aren't using it. If you are using it and want it to run correctly you have to ensure that the source index it is looking for detections against has a @timestamp for it to operate correctly.

system · December 31, 2020, 1:31am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.