SIEM Signals Index and Component Templates

I have started translating and migrating all my legacy Index Templates over to the new Component Templates, but when I got to the .siem-signals-<space> template, I am now getting an error:

An error occurred during rule execution: message: "EQL based rules require an update to version 2 of the detection alerts index mapping" name: "Credential Acquisition via Registry Hive Dumping" id: "7e2cc050-cd4d-11eb-ab0a-51ff65f25624" rule id: "b4629ee0-92ce-440b-9165-c2b34556c6e7" signals index: ".siem-signals-default"

Is the Security app not yet compatible with Component Templates?

Please disregard. I was able to get a Component Template to work. I went through and copied all settings (other than mappings), and it now works. I suspect perhaps the "version" : 35 setting? I originally had "version" : 1.

Here is my working Component Template for SIEM Signals:

PUT _index_template/.siem-signals-default
  "index_patterns" : [
  "template" : {
    "settings" : {
      "index" : {
        "lifecycle" : {
          "name" : ".siem-signals-default",
          "rollover_alias" : ".siem-signals-default"
        "mapping" : {
          "total_fields" : {
            "limit" : "10000"
    "mappings" : {
      "_meta": {
        "version": 35
      "dynamic": false,
      "properties" : {
        "_score" : {
          "type" : "long"
    "aliases" : {}
  "composed_of" : [
  "version" : 35,
  "_meta" : {
    "description" : "SIEM Signals Component-Based Template"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.