Detector fields mapping issues for OpenSearch v2.5

Greetings Everyone,

Currently, I am having problem of mapping these fields below while trying to create a detector to trigger alert for CloudTrail log source event.

  • requestParameters.arn: aws-cloudtrail-requestParameters-arn
  • requestParameters.attribute: aws-cloudtrail-requestParameters-attribute
  • requestParameters.userName: aws-cloudtrail-requestParameters-userName
  • requestParameters.containerDefinitions.command: aws-cloudtrail-requestParameters-containerDefinitions-command

Just wondering if it is possible to 1) modify the fieldmappings.yml to remove these fields and add the indexes existing fields in the event that I want to alert based on custom sigma rules selection and filtering? Basically, editing this file ( to do something similar to this Modifying the YAML files - OpenSearch documentation or 2) add the problem fields via recreating CloudTrail index?

any help would be greatly appreciated.


Hey @apaws06

Have you tried to create a template first? By default I believe Opensearch is set on dynamic mapping, meaning when it detects new fields it creates them. What I have done was create a custum template with a unique alias needed so when the log from the device with the same alias it will create the index set and use my custum template, just an idea.

Thanks Gsmitt. I have issue with the template. Currently trying to figure out this error “[security_analytics_exception] No applied aliases not found. Failed to retrieve field mappings.”

Hey @apaws06

I see others posted something similar this in GitHub.

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.