I have a couple of issues with alerts with logs from winlogbeats.
I have alerts created that trigger correctly and send that alert to TheHive, but then I found two issues:
The first is that I can't extract observables such as:
operative_system: "{match[host.os.name]}" or event_id: "{match[winlog.event_id]}"
The only observables that I receive on theHive are those without . ,i.e:
msg: "{match[message]}"
The other issue is that I receive the following exception when the alert triggers:
elasticsearch.exceptions.RequestError: RequestError(400, 'mapper_parsing_exception', "failed to parse field [match_body.host] of type [text] in document...
Dair8
commented
4 years ago
Hello,
I have a couple of issues with alerts with logs from winlogbeats.
I have alerts created that trigger correctly and send that alert to TheHive, but then I found two issues:
The only observables that I receive on theHive are those without . ,i.e: msg: "{match[message]}"
Nevertheless, the fields host.XXX appear in ELK.
I don't know if both issues are related.
Can you help?