Bulk Indexing of signals failed: Could not dynamically add mapping for field [source.ip.keyword]. Existing mapping for [source.ip] must be of type object but found [ip]. name: "Prova Nmap detection" id: "8c5e9c50-522d-11ed-895f-390c31d94eb0" rule id: "1fd6fcc8-e7aa-44c9-be7f-5bd699014236" signals index: ".siem-signals-default"
It looks like the issue is caused by incorrect mappings of your source events.
Indices that contain source events for a given rule are determined by the Index patterns field. In your case, mappings of these indices seem to contain a source.ip.keyword field (which I'd assume has a keyword type) while Elastic Security expects to see there a standard ECS field source.ip of type ip.
What happens when this rule executes, is the rule copies many fields like source.* from a source document to the alert that is generated based on this source document, and then tries to index the alert into a separate .alerts-security.alerts-<space-id> index. The alerts index has its own strict mappings where it is expected that source.ip is a field of type ip according to ECS.
I'm running the app locally for educational purposes, I'm a student. As you may have guessed, I would like to generate an alarm when many packets from the same source ip address are detected. So I necessarily need the group by clause with source.ip.
Thank you very much for the time you are dedicating to me
Hey @Simone_Calo, ultimately, you need to fix the incorrect mappings in your packetbeat-* indices. Since you're running the app locally for educational purposes, the easiest way would probably be to erase all your Elasticsearch data and start from scratch.
Export the rules you need (there's a bulk action for it in the Rules table).
Stop packetbeat and any other beats you have.
Stop your local Kibana and Elasticsearch instances.
Have you tried the same steps with a fresh installation of Elastic Stack on the host OS?
Containerized setup adds another dimension of complexity - e.g. you should know where data is persisted, in what order containers start, how error handling is done when not all the containers are available, etc.