SIEM Signals Index and Component Templates

I have started translating and migrating all my legacy Index Templates over to the new Component Templates, but when I got to the .siem-signals-<space> template, I am now getting an error:

An error occurred during rule execution: message: "EQL based rules require an update to version 2 of the detection alerts index mapping" name: "Credential Acquisition via Registry Hive Dumping" id: "7e2cc050-cd4d-11eb-ab0a-51ff65f25624" rule id: "b4629ee0-92ce-440b-9165-c2b34556c6e7" signals index: ".siem-signals-default"

Is the Security app not yet compatible with Component Templates?

Please disregard. I was able to get a Component Template to work. I went through and copied all settings (other than mappings), and it now works. I suspect perhaps the "version" : 35 setting? I originally had "version" : 1.

Here is my working Component Template for SIEM Signals:

PUT _index_template/.siem-signals-default
{
  "index_patterns" : [
    ".siem-signals-default-*"
  ],
  "template" : {
    "settings" : {
      "index" : {
        "lifecycle" : {
          "name" : ".siem-signals-default",
          "rollover_alias" : ".siem-signals-default"
        },
        "mapping" : {
          "total_fields" : {
            "limit" : "10000"
          }
        }
      }
    },
    "mappings" : {
      "_meta": {
        "version": 35
      },
      "dynamic": false,
      "properties" : {
        "_score" : {
          "type" : "long"
        }
      }
    },
    "aliases" : {}
  },
  "composed_of" : [
    "@timestamp",
    "@version",
    "document_id",
    "agent",
    "as",
    "client",
    "cloud",
    "code_signature",
    "container",
    "destination",
    "dll",
    "dns",
    "ecs",
    "error",
    "event",
    "file",
    "geo",
    "group",
    "hash",
    "host",
    "http",
    "interface",
    "labels",
    "log",
    "logstash",
    "message",
    "network",
    "observer",
    "organization",
    "os",
    "package",
    "pe",
    "process",
    "registry",
    "related",
    "rule",
    "server",
    "service",
    "signal",
    "source",
    "span",
    "tags",
    "threat",
    "tls",
    "trace",
    "transaction",
    "url",
    "user",
    "user_agent",
    "vlan",
    "vulnerability",
    "windows",
    "winlog"
  ],
  "version" : 35,
  "_meta" : {
    "description" : "SIEM Signals Component-Based Template"
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.