The index pattern was refreshed successfully in O365 Module

[Michael Reiner]

Hey there.

Everytime I expand an event in the O365 Module, I get the following message:

The index pattern was refreshed successfully.
There were some unknown fields for the current index pattern. You need to refresh the page to apply the changes.

If I ignore the message to expand other entries, after a while the site becomes unresponsive.

Clicking reload does nothing but reloading the page. The message comes back the moment I expand another event.

[Othniel Ebolum]

Hi Michael, 

I hope you are doing well. 

To troubleshoot, try Clearing the browser cache and cookies to ensure a clean session.

if the issues persist after this, there may be unknown fields in the index pattern configuration and it may need to be refreshed. 

Refresh the index pattern by selecting the menu icon in the top left corner and navigate to Management -> Stack Management -> Index Patterns -> wazuh-alerts-*. Click the refresh button on that index pattern page as shown below.

you can follow examples made in the Wazuh dashboard header in this blog post: monitoring Linux resource usage with Wazuh

I hope this helps.

Best Regards, 

[Michael Reiner]

Hi.

Tried everything. Cleared cached, even tried a new InPrivate session, refreshed the fields, same problem.

[Michael Reiner]

It seems to have something to do with parsing the events.

For example:

I have an Audit.AzureActiveDirectory Event.

Field List in the wazuh-alerts-* index pattern shows the Fields:

data.office365.DeviceProperties.Name

and

data.office365.DeviceProperties.Value

But the Event shows the field

data.office365.DeviceProperties

as "unknown" field with the content

{
  "Value": "Windows 10",
  "Name": "OS"
},
{
  "Value": "Chrome",
  "Name": "BrowserType"
},
{
  "Value": "False",
  "Name": "IsCompliantAndManaged"
}