Issues with some decoded fields.

1,547 views
Skip to first unread message

ocerna0721

unread,
Aug 29, 2023, 2:54:59 PM8/29/23
to Wazuh | Mailing List

Hello, good afternoon everyone,

I'm bringing up a case regarding a rule that I'm using. I've attached the code of the rule:
<group name="custom">
    <rule id="100008" level="8">
    <decoded_as>json</decoded_as>
    <description>Process intel of TSS</description>
    </rule>
</group>

Here's the log that is being decoded:
{"Process Name": "OUTLOOK.EXE", "PID": 81848, "srcip": "192.168.1.120", "srcport": 54958, "dstIP": "52.96.165.194", "dstport": 443, "Source Geo": "Unknown, Unknown", "Destination Geo": "Unknown, Unknown"}

I've also included the result of the role test:
**Phase 1: Completed pre-decoding.

            full event: '{"Process Name": "OUTLOOK.EXE", "PID": 81848, "srcip": "192.168.1.120", "srcport": 54958, "dstIP": "52.96.165.194", "dstport": 443, "Source Geo": "Unknown, Unknown", "Destination Geo": "Unknown, Unknown"}'

 

**Phase 2: Completed decoding.

            name: 'json'

            Destination Geo: 'Unknown, Unknown'

            PID: '81848'

            Process Name: 'OUTLOOK.EXE'

            Source Geo: 'Unknown, Unknown'

            dstIP: '52.96.165.194'

            dstport: '443'

            srcip: '192.168.1.120'

            srcport: '54958'

 

**Phase 3: Completed filtering (rules).

            id: '100008'

            level: '8'

            description: 'Process intel of TSS'

            groups: '["custom"]'

            firedtimes: '2'

            mail: 'true'

**Alert to be generated. 

 

However, I'm encountering an issue where I'm seeing the following message in the event view:
FieldErrors.png

What can I do to include these fields or how can I achieve this?

Christian Borla

unread,
Aug 29, 2023, 3:45:16 PM8/29/23
to Wazuh | Mailing List
Hi 
I hope you are doing fine.

The error message "No cached mapping for this field" typically occurs in Elasticsearch when you are trying to perform a query or aggregation operation on a field in Kibana, but Elasticsearch doesn't have a mapping for that field.
The rule is firing an the alert is genereated, but the field might not exist in any of the documents in your Elasticsearch index.

You can try go to Kibana > Management > Index patterns, select your desired pattern and click in the refresh button at the top right corner ("Refresh field list") and now you can search and use by the term data.domain in Discover and/or use
it to create custom dashboards.

Note: If you restart Kibana and the Wazuh App is installed it will restore the cached mapping for all fields that appear in index patterns that are compatible with the Wazuh App, if you need help with this task, let us know (fix in progress, sorry
about the inconvenience).

A useful link is https://documentation.wazuh.com/current/user-manual/ruleset/custom.html

Let me know if that helps.

Gerardo David Caceres Fleitas

unread,
Aug 29, 2023, 5:42:53 PM8/29/23
to Wazuh | Mailing List

Hello Ocerna,

As Christian said; that error message usually occurs if those fields are not yet mapped in the cache.  Please refresh the index pattern and let us know if it worked.
1.png
2.png

3.png

If you have any more questions about this, we're here to help.

Greetings.
Gerardo Cáceres.

ocerna0721

unread,
Aug 29, 2023, 6:59:46 PM8/29/23
to Wazuh | Mailing List
Thank you very much, Christian and Gerardo. Both answers were extremely helpful.
Reply all
Reply to author
Forward
0 new messages