Hello,
i am currently integrating our watchguard vpn logs into our Elasticsearch siem.
I basically build a logstash rule that takes its Syslog output and mapps it onto ECS.
While everthing now works as expected, i noticed that when i create Detections for it, i can't use the Analyze button.
Is there a way to figure out which field is wrongly mapped or which data this function needs?
Seeing this too, except in an Auditbeat entry.
I resolved the only unknown field I found, "network direction", but that did not resolve the issue.
Any luck figuring it out?
I'm guessing this explains it:
Looks like it may only be compatible with events from Winlogbeat with the sysmon module, or the endpoint agent.
Find events to analyzeedit
You can only visualize events triggered by hosts configured with the Elastic Endpoint Security Integration or any sysmon data from winlogbeat .
In KQL, this translates to any event with the agent.type set to either:
endpointwinlogbeat with event.module set to sysmon
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.