[Security Solution][Detections][BUG] ES|QL rule execution error when source document has a non-ECS compliant sub-field with data under `event` field #187384
Describe the bug:
This error comes from the client which noticed that their rules were failing with the error
An error occurred during rule execution: message: "[1:6778] failed to parse field [kibana.alert.original_event.action] of type [keyword] in document with id '027b925ae2799635a0dee97a6aa9d58dc87d9771'."
The issue happens when source index has non-ECS compliant sub-field on the event field.
Describe the bug: This error comes from the client which noticed that their rules were failing with the error
The issue happens when source index has non-ECS compliant sub-field on the
event
field.Steps to reproduce:
Error screenshot