Hello,
i am currently integrating our watchguard vpn logs into our Elasticsearch siem.
I basically build a logstash rule that takes its Syslog output and mapps it onto ECS.
While everthing now works as expected, i noticed that when i create Detections for it, i can't use the Analyze button.
Is there a way to figure out which field is wrongly mapped or which data this function needs?
Seeing this too, except in an Auditbeat entry.
I resolved the only unknown field I found, "network direction", but that did not resolve the issue.
Any luck figuring it out?
I'm guessing this explains it:
Looks like it may only be compatible with events from Winlogbeat with the sysmon module, or the endpoint agent.
Find events to analyzeedit
You can only visualize events triggered by hosts configured with the Elastic Endpoint Security Integration or any sysmon data from winlogbeat
.
In KQL, this translates to any event with the agent.type
set to either:
endpoint
winlogbeat
with event.module
set to sysmon
system
(system)
Closed
September 14, 2021, 2:44pm
4
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.