[Security Solution][Detections] Rule fails when timestamp override field is not mapped #91594
Labels
bug
Fixes for quality problems that affect the customer experience
Feature:Detection Rules
Anything related to Security Solution's Detection Rules
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
In 7.11 support was added (#86368) for querying multiple timestamps and falling back to
@timestamp
if thetimestampOverride
field did not exist in the source index. If this fallback occurred, the rule would write a partial failure informing the user of the missing field, but still write any alerts from the fallback query using@timestamp
. In testing #91553, a permutation was found that resulted in a full rule failure instead of a partial, and would prevent alerts from being written for the fallback query using@timestamp
.This can be recreated using any of the
Elastic Endgame
detection rules as theendgame-*
index does not include a mapping forevent.ingested
, and the resulting ES error from this request is in a different format than what is currently expected.Elastic Endgame
rule to useevent.ingested
as the timestamp override field, and enable the rule. Note: since this field doesn't exist and there is client side validation, you must duplicate, then export the rule, modify the ndjson, and re-import. Or just use this rule here... 🙂event_ingested_failure_rule.ndjson.zip
This is the result of a different ES error response format, and the following line:
kibana/x-pack/plugins/security_solution/server/lib/detection_engine/signals/utils.ts
Line 139 in 4584a8b
Kibana version:
7.11.x
The text was updated successfully, but these errors were encountered: