SIEM rule not working for custom query

HI,
I'm trying to create a simple rule that checks host.name field:


But no signal is generating. here is my index mapping.

I can see events in timeline using the same query.

HI @Frank_Hassanabad,
Sorry for bothering you. I saw this post and I thought it might be a problem with my @timestamp too.
Here's a sample log.
I posted my mapping in the original post but I don't think that's the problem.
I'm using a grok processor in ingest pipeline and my patterns don't parse @timestamp field. but it'll have a value after processing.

Any help would be highly appreciated

hi,
what user are running as ? Please try as "superadmin" just to see if iti s not related to permissions

I'm using the default superadmin user, a.k.a elastic.
And I can create the same rule with another index and it works fine.

Hi-ya' @borna_talebi,

So I took a look at this and you're in luck :shamrock: that we have improved the upcoming soon to be released 7.10.0 to bubble up more errors about ECS mapping issues to tighten up this feedback loop about errors from custom source indexes.

In the meantime, I tried out the latest experimental version and here are the two errors I can see in my environment for you to fix and everything should work out:

host.ip should be of the data type, "ip" and not "keyword"

"ip": {
  "type": "ip",
  "fields": {
    "keyword": {
      "type": "keyword",
      "ignore_above": 256
    }
  }
},

And then second you need to change user to be a type of object with a name underneath it:

"user": {
  "properties": {
    "name": {
      "type": "keyword"
    }
  }
},

I changed both of those and everything worked out w/ the mapping and sample data set you gave me.

ECS references:


Thanks a lot! It worked!
Looking forward to 7.10.0 update

1 Like

Good to hear and thank you for coming back to let the next person know this is what fixed it.

2 Likes

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.