What is the bug?
winlog.event_id ecs field has three different raw fields associated with it which can lead to incorrect field being returned by the mappings/view API. This causes an issue when user tries to create a detector with rule(s) that require mapping between the ecs field to a log index field.
For e.g. if the log index has field EventID, then the mapping view API should be able to automatically map winlog.event_id to EventID and send that mapping as part of the response but it ends up sending mapping between winlog.event_id to event_uid or some other field not present in the index.
How can one reproduce the bug?
Steps to reproduce the behavior:
- Create a windows index with
EventID field
- Go to create detector page and select the windows index and the windows log type.
- In the field mappings section, under the mapped fields tab you will find
winlog.event_id is not mapped to EventID
What is the expected behavior?
winlog.event_id should be mapped to the field present in the log index.
What is your host/environment?
Security analytics 2.11
What is the bug?
winlog.event_idecs field has three different raw fields associated with it which can lead to incorrect field being returned by the mappings/view API. This causes an issue when user tries to create a detector with rule(s) that require mapping between the ecs field to a log index field.For e.g. if the log index has field
EventID, then the mapping view API should be able to automatically mapwinlog.event_idtoEventIDand send that mapping as part of the response but it ends up sending mapping betweenwinlog.event_idtoevent_uidor some other field not present in the index.How can one reproduce the bug?
Steps to reproduce the behavior:
EventIDfieldwinlog.event_idis not mapped toEventIDWhat is the expected behavior?
winlog.event_idshould be mapped to the field present in the log index.What is your host/environment?
Security analytics 2.11