Description
openedon Apr 24, 2022
We're trying to enable some indicator match detection's in prod, however the rules are failing to raise the alerts due to an index mapping conflict between the source event and the .siem-signals index mapping. In this instance it's because a field is a keyword in the proxy log and a object in the .siem-signals index mapping. There should be no circumstances where a security alert isn't raised because of something like an index mapping conflict. The impact to the business of missing potentially critical security alerts is too high. Every time a security alert is raised by the detection engine, the analysts need to see it in the siem interface.
Adding ignore_malformed to every field in the .siem-signals index mapping would mitigate the risk of security alerts not being raised because of something as trivial an an index mapping conflict. A workaround to identify mapping conflicts might be applying an alias to all data streams and .siem-signals indexes, then using the data view tab to identify the conflicting fields.