Problem when creating a detection rule

Plugins Security Analytics
1

I have data sent by auditbeat version 8.15.5. They enter the datastream with the following settings:

{
  ".ds-logs-auditbeat-8.5.0-000001": {
    "settings": {
      "index": {
        "replication": {
          "type": "DOCUMENT"
        },
        "hidden": "true",
        "number_of_shards": "1",
        "provided_name": ".ds-logs-auditbeat-8.5.0-000001",
        "creation_date": "1771409911411",
        "number_of_replicas": "0",
        "uuid": "z8hoJ9fDRCqErxkJc9BKHA",
        "version": {
          "created": "137267827"
        }
      }
    }
  }
}

{
  "data_streams": [
    {
      "name": "logs-auditbeat-8.5.0",
      "timestamp_field": {
        "name": "@timestamp"
      },
      "indices": [
        {
          "index_name": ".ds-logs-auditbeat-8.5.0-000001",
          "index_uuid": "z8hoJ9fDRCqErxkJc9BKHA"
        }
      ],
      "generation": 1,
      "status": "GREEN",
      "template": "logs-auditbeat-8.5.0"
    }
  ]
}

When trying to create, I get the following error

Security Analytics - DetectorsService - createDetector: StatusCodeError: [security_analytics_exception] Validation Failed: 1: Index patterns are not supported for doc level monitors.;
    at respond (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/transport.js:349:15)
    at checkRespForFailure (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/transport.js:306:7)
    at HttpConnector.<anonymous> (/usr/share/opensearch-dashboards/node_modules/elasticsearch/src/lib/connectors/http.js:173:7)
    at IncomingMessage.wrapper (/usr/share/opensearch-dashboards/node_modules/lodash/lodash.js:5030:19)
    at IncomingMessage.emit (node:events:531:35)
    at endReadableNT (node:internal/streams/readable:1698:12)
    at processTicksAndRejections (node:internal/process/task_queues:90:21) {
  status: 500,
  displayName: 'InternalServerError',
  path: '/_plugins/_security_analytics/detectors',
  query: {},
  body: {
    error: {
      root_cause: [Array],
      type: 'security_analytics_exception',
      reason: 'Validation Failed: 1: Index patterns are not supported for doc level monitors.;',
      caused_by: [Object]
    },
    status: 500
  },
  statusCode: 500,
  response: '{"error":{"root_cause":[{"type":"security_analytics_exception","reason":"Validation Failed: 1: Index patterns are not supported for doc level monitors.;"}],"type":"security_analytics_exception","reason":"Validation Failed: 1: Index patterns are not supported for doc level monitors.;","caused_by":{"type":"action_request_validation_exception","reason":"Validation Failed: 1: Index patterns are not supported for doc level monitors.;"}},"status":500}',
  toString: [Function (anonymous)],
  toJSON: [Function (anonymous)]
}

Configuring the rule via the GUI, opensearch version: opensearch:3.5.0

image
image1546×1206 82.5 KB

Has anyone encountered this problem and knows how to solve it?

2

@Ruslan1 I’ve experienced that today with 3.5 when I was creating a detector against security-audit index.

Did you have that working before, or is this your first try with Security Analytics?

3

@Ruslan1 Now I remember, I was responding to this case in November 2025

When the Security Analytics detector is created, Alerting creates a Monitor to support that detector.

The observed error wasn’t caused by SA, but it’s an output from the Alerting plugin.

I suspect that this PR has introduced the pattern check.

In short, the Alerting plugin takes a dot from the index name as part of the regex.

As a workaround, I suggest using index/alias name without dots, i.e. logs-auditbeat-8_5_0
You can also report this as a bug in OpenSearch GitHub. If you do so, please share the link here.

1 Like
4

Thanks for the reply. I specified an alias and it works.

1 Like