Its me again.
I have created a new index called ldap_delme2 with the following command:
POST ldap_delme2/_mapping
{
"properties": {
"@timestamp" : {
"type" : "date"
},
"user.name" : {
"type": "keyword"
},
"event.category": {
"type": "text"
},
"event.outcome" : {
"type": "text"
}
}
}
which leads to this mapping schema:
{
"ldap_delme2" : {
"mappings" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"event" : {
"properties" : {
"category" : {
"type" : "text"
},
"outcome" : {
"type" : "text"
}
}
},
"user" : {
"properties" : {
"name" : {
"type" : "keyword"
}
}
}
}
}
}
}
I have indexed this event 5 times (timestamps differ by 1 second for each entry):
POST ldap_delme2/_doc/
{
"@timestamp" : "2020-10-08T17:00:15",
"user.name" : "test.user",
"event.category" : "authentication",
"event.outcome" : "failed"
}
Which leads to an index that looks like this:
{
"took" : 1,
"timed_out" : false,
"_shards" : {
"total" : 1,
"successful" : 1,
"skipped" : 0,
"failed" : 0
},
"hits" : {
"total" : {
"value" : 6,
"relation" : "eq"
},
"max_score" : 0.074107975,
"hits" : [
{
"_index" : "ldap_delme2",
"_type" : "_doc",
"_id" : "Yf7OCHUBJXM-BF0goJ6i",
"_score" : 0.074107975,
"_source" : {
"@timestamp" : "2020-10-08T17:00:10",
"user.name" : "test.user",
"event.category" : "authentication",
"event.outcome" : "failed"
}
},
{
"_index" : "ldap_delme2",
"_type" : "_doc",
"_id" : "Yv7OCHUBJXM-BF0gp55A",
"_score" : 0.074107975,
"_source" : {
"@timestamp" : "2020-10-08T17:00:11",
"user.name" : "test.user",
"event.category" : "authentication",
"event.outcome" : "failed"
}
},
{
"_index" : "ldap_delme2",
"_type" : "_doc",
"_id" : "Y_7OCHUBJXM-BF0grZ40",
"_score" : 0.074107975,
"_source" : {
"@timestamp" : "2020-10-08T17:00:12",
"user.name" : "test.user",
"event.category" : "authentication",
"event.outcome" : "failed"
}
},
{
"_index" : "ldap_delme2",
"_type" : "_doc",
"_id" : "ZP7OCHUBJXM-BF0gs545",
"_score" : 0.074107975,
"_source" : {
"@timestamp" : "2020-10-08T17:00:13",
"user.name" : "test.user",
"event.category" : "authentication",
"event.outcome" : "failed"
}
},
{
"_index" : "ldap_delme2",
"_type" : "_doc",
"_id" : "Zf7OCHUBJXM-BF0guJ7n",
"_score" : 0.074107975,
"_source" : {
"@timestamp" : "2020-10-08T17:00:14",
"user.name" : "test.user",
"event.category" : "authentication",
"event.outcome" : "failed"
}
},
{
"_index" : "ldap_delme2",
"_type" : "_doc",
"_id" : "Zv7OCHUBJXM-BF0gvp59",
"_score" : 0.074107975,
"_source" : {
"@timestamp" : "2020-10-08T17:00:15",
"user.name" : "test.user",
"event.category" : "authentication",
"event.outcome" : "failed"
}
}
]
}
}
I created a new detection rule with these settings:
The rule is unable to produce any signal.
Now in the "Overview" Tab I get a Data Fetch error that complains about the usage of non-keyword fields for aggregation even tho the user.name field is only mapped to the type keyword.
I have created a third index identical to the one I posted here except every field has the type keyword.
I am still unable to produce a single signal.