MITRE ATT&CK Data
113 views
Skip to first unread message
Utkarsh Bhargava
Apr 27, 2023, 11:04:00 AM4/27/23
to Wazuh mailing list
He community,
I am unable to see MITRE ATT&CK data on my wazuh dashboard. When I check logs I found this :
Apr 27, 2023 @ 19:37:30 ERROR search_phase_execution_exception: [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.; [illegal_argument_exception] Reason: Text fields are not optimised for operations that require per-document field data like aggregations and sorting, so these operations are disabled by default. Please use a keyword field instead. Alternatively, set fielddata=true on [rule.mitre.id] in order to load field data by uninverting the inverted index. Note that this can use significant memory.
Can anyone help me how to fix this error.
I am using Wazuh v4.4.0
I have attached the screenshot of the error with this email.
Please have a look.
Thanks & Regards
Utkarsh Bhargava
Luis Daniel Avendaño Larios
Apr 27, 2023, 12:34:29 PM4/27/23
to Wazuh mailing list
Hello Utkarsh,
Thanks for using wazuh!
This error message indicates that there is an issue with the configuration of the Wazuh Indexer/Elasticsearch index used by Wazuh. Specifically, the "rule.mitre.id" field is defined as a text field rather than a keyword field, which is causing issues with sorting and aggregations.
To resolve this issue, you have two options:
1. Change the field type to "keyword" in the Indexer/Elasticsearch index mapping. You can do this by running the following command:
curl -XPUT 'localhost:9200/wazuh-alerts-*/_mapping/alert' -H 'Content-Type: application/json' -d '{"properties":{"rule.mitre.id":{"type":"keyword"}}}'
This command will change the "rule.mitre.id" field type to "keyword" in the Wazuh index mapping.
Set the "fielddata" parameter to "true" for the "rule.mitre.id" field in the Indexer/Elasticsearch index. You can do this by running the following command:
curl -XPUT 'localhost:9200/wazuh-alerts-*/_mapping/alert' -H 'Content-Type: application/json' -d '{"properties":{"rule.mitre.id":{"type":"text","fielddata":true}}}'
This command will set the "fielddata" parameter to "true" for the "rule.mitre.id" field in the Wazuh index mapping.
Once you have made either of these changes, you should restart the Wazuh service and check if the MITRE ATT&CK data is now visible on your dashboard.
I hope this helps, let me know if you need anything else.
Regards,
Thanks for using wazuh!
This error message indicates that there is an issue with the configuration of the Wazuh Indexer/Elasticsearch index used by Wazuh. Specifically, the "rule.mitre.id" field is defined as a text field rather than a keyword field, which is causing issues with sorting and aggregations.
To resolve this issue, you have two options:
1. Change the field type to "keyword" in the Indexer/Elasticsearch index mapping. You can do this by running the following command:
curl -XPUT 'localhost:9200/wazuh-alerts-*/_mapping/alert' -H 'Content-Type: application/json' -d '{"properties":{"rule.mitre.id":{"type":"keyword"}}}'
This command will change the "rule.mitre.id" field type to "keyword" in the Wazuh index mapping.
Set the "fielddata" parameter to "true" for the "rule.mitre.id" field in the Indexer/Elasticsearch index. You can do this by running the following command:
curl -XPUT 'localhost:9200/wazuh-alerts-*/_mapping/alert' -H 'Content-Type: application/json' -d '{"properties":{"rule.mitre.id":{"type":"text","fielddata":true}}}'
This command will set the "fielddata" parameter to "true" for the "rule.mitre.id" field in the Wazuh index mapping.
Once you have made either of these changes, you should restart the Wazuh service and check if the MITRE ATT&CK data is now visible on your dashboard.
I hope this helps, let me know if you need anything else.
Regards,
Reply all
Reply to author
Forward
0 new messages