Error in ElastAlert when parsing log

[Taraskobilskiy]

Version

2.4.30

Installation Method

Security Onion ISO image

Description

configuration

Installation Type

Standalone

Location

on-prem with Internet access

Hardware Specs

Exceeds minimum requirements

CPU

26

RAM

128

Storage for /

200 Gb

Storage for /nsm

1 tb

Network Traffic Collection

span port

Network Traffic Speeds

Less than 1Gbps

Status

Yes, all services on all nodes are running OK

Salt Status

No, there are no failures

Logs

Yes, there are additional clues in /opt/so/log/ (please provide detail below)

Detail

When creating a rule in Playbook to trigger for a Windows source, an error occurs. error message from Elastalert indicating a problem when trying to write alert information to Elasticsearch. A parsing error occurred (document_parsing_exception) for the match_body.user.id field. This field was expected to be of type long (an integer data type), but the actual value of the field ('S-1-5-21-3080172177-780197540-4289498753-1182') is not of this type. Accordingly, the alarm does not appear in SOC Alerts. (It’s empty there).
It looks like the main problem is a data type mismatch. The match_body.user.id field is expected to be a number (long), but a string is passed to it, which causes an error when parsing the document. This may require adjusting the Elastalert configuration or changing the data schema in Elasticsearch to handle this type of value.
Help me figure out how to fix the error.
I am attaching the log:

2024-01-12 04:11:45,087 WARNING elasticsearch POST https://seconion-qc:9200/elastalert/_doc [status:400 request:0.006s]
2024-01-12 04:11:45,087 ERROR elastalert Error writing alert info to Elasticsearch: RequestError(400, 'document_parsing_exception', "[1:5141] failed to parse field [match_body.user.id] of type [long] in document with id 'A7De-4wBRWlvJ4-eZM87'. Preview of field's value: 'S-1-5-21-3080172177-780197540-4289498753-1182'")
Traceback (most recent call last):
File "/usr/local/lib/python3.11/site-packages/elastalert/elastalert.py", line 1461, in writeback
res = self.writeback_es.index(index=index, body=body)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/client/utils.py", line 152, in _wrapped
return func(*args, params=params, headers=headers, **kwargs)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/client/init.py", line 398, in index
return self.transport.perform_request(
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/transport.py", line 392, in perform_request
raise e
File "/usr/local/lib/python3.11/site-packages/elasticsearch/transport.py", line 358, in perform_request
status, headers_response, data = connection.perform_request(
^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/site-packages/elasticsearch/connection/http_requests.py", line 199, in perform_request
self._raise_error(response.status_code, raw_data)
File "/usr/local/lib/python3.11/site-packages/elasticsearch/connection/base.py", line 315, in _raise_error
raise HTTP_EXCEPTIONS.get(status_code, TransportError)(
elasticsearch.exceptions.RequestError: RequestError(400, 'document_parsing_exception', "[1:5141] failed to parse field [match_body.user.id] of type [long] in document with id 'A7De-4wBRWlvJ4-eZM87'. Preview of field's value: 'S-1-5-21-3080172177-780197540-4289498753-1182'")
2024-01-12 04:11:45,149 INFO elastalert Ran Local User Creation TARAS TEST - afadef0fb from 2024-01-12 04:01 UTC to 2024-01-12 04:11 UTC: 1 query hits (0 already seen), 1 matches, 1 alerts sent

Guidelines

• I have read the above statement and can confirm my post is relevant to Security Onion 2.4.

[InfosecGoon]

Can you share the Sigma for the Play?