[Security Solution][Detections][BUG] ES|QL rule execution error when source document has a non-ECS compliant sub-field with data under `event` field

e40pud commented 1 week ago

Describe the bug: This error comes from the client which noticed that their rules were failing with the error

An error occurred during rule execution: message: "[1:6778] failed to parse field [kibana.alert.original_event.action] of type [keyword] in document with id '027b925ae2799635a0dee97a6aa9d58dc87d9771'."

The issue happens when source index has non-ECS compliant sub-field on the event field.

Steps to reproduce:

Add mapping

PUT my_sdh_1015
{
"mappings": {
"properties": {
  "event": {
      "properties": {
        "action": {
          "type": "text",
          "fields": {
            "keyword": {
              "type": "keyword",
              "ignore_above": 256
            }
          }
        }
      }
  }
}
}
}

Add document

PUT my_sdh_1015/_doc/1
{
"@timestamp": "2024-07-02T14:10:00Z",
"event.action": "Hello world!"
}

Create an ES|QL rule

from my_sdh_1015* metadata _id
| sort @timestamp DESC
| limit 1

Error screenshot

elasticmachine commented 1 week ago

Pinging @elastic/security-solution (Team: SecuritySolution)

elasticmachine commented 1 week ago

Pinging @elastic/security-detection-engine (Team:Detection Engine)

elastic / kibana

[Security Solution][Detections][BUG] ES|QL rule execution error when source document has a non-ECS compliant sub-field with data under `event` field #187384

Error screenshot