search

elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.81k stars 8.2k forks source link

siem detection rule misleading error message v7.10.0 #85491

Open saiiman opened 3 years ago

saiiman commented 3 years ago

I tried to implement a detection rule (query rule) for the Elastic SIEM module (Elasticsearch Version 7.10.0) and got this error message. Screenshot 2020-12-04 at 11 47 33

I wondered how an error in the system index .siem-signals-default could occur. Also in this index the host field was an object.

When I looked for the error I found out that my custom index was indexed incorrectly. I would recommend to formulate the error message more clearly to something like:

Bulk Indexing of signals failed: object mapping for [host] tried to parse field [host] as object, but found a concrete value name: "hostname_in_custom_index" id: "..." rule id: "..." signals index: "custom_index"

(b/c "test" is the name of the rule and not the name from the incorrectly parsed field host.)

elasticmachine commented 3 years ago

Pinging @elastic/es-core-infra (Team:Core/Infra)

elasticmachine commented 3 years ago

Pinging @elastic/es-search (Team:Search)

Sinistr0 commented 2 years ago

@saiiman how did you solve that? i'm having the same error