Closed
Description
Describe the bug
Error occurred during rule execution message: "Search has been aborted due to cancelled execution" on rule preview
Kibana/Elasticsearch Stack version
VERSION: 8.15.1
BUILD: 76516
COMMIT: 1796ec02f5523bff4e449c368a3fea574d44455a
Steps
- Navigate to Security Rule
- Create New Rule with Custom Query Rule type
- Enter the custom query:
not observer.egress:* and not observer.egress.zone:* and not observer.hostname:* and not observer.ingress:* and not observer.ingress.zone:* and not observer.ip:* and not observer.mac:* and not observer.name:* and not observer.product:* and not observer.serial_number:* and not observer.type:* and not observer.vendor:* and not observer.version:* and not agent.ephemeral_id:* and not agent.id:* and not agent.name:* and not agent.type:* and not agent.version:* - Click on Rule Preview
- Observe the error is thrown for the same
Expected Result
- The error should not occur when the task is not aborted
Screenshot
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Assignees
Labels
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Security Solution Detection Engine AreaSecurity Detection Response TeamFixes for quality problems that affect the customer experienceAddressing this issue will have a medium level of impact on the quality/strength of our product.