Security Analytics Error - 'and' operator not supported

jerroot · September 11, 2024, 2:28pm

Getting the following error when I try do build out detection rules, detectors, etc. in the “Security Analytics” area of OpenSearch.

"Failed to retrieve rules:

[security_analytics_exception] Operator ‘and’ not supported by the backend"

I can’t find any info on this specific error when I search.
What is this referring to, and where can I find the “and” operator it’s referencing?

Eugene7 · September 16, 2024, 12:27pm

Hi @jerroot ,

Could you please share your rules configurations? What version of OpenSearch do you use?

jerroot · September 16, 2024, 5:24pm

We’re using OpenSearch v 2.9

Here is a sample of a detection rule I built, but I can’t go on to create a detector.

id: <ID_HERE>
logsource:
  product: azure
title: TEST_rule_TEST
description: TEST_rule_TEST
tags: []
falsepositives: []
level: medium
status: test
references: []
author: <NAME_HERE>
detection:
  condition: Severity
  Severity:
    alert_severity:
      - medium

Topic		Replies	Views
Security Analytics - doesn't work, no rules Security Analytics	2	234	July 7, 2024
Security analytics - not able create detector Security Analytics	3	231	July 10, 2024
Failed to start Document-level-monitor: Inconsistency of field data structures across documents for field Security Analytics	4	657	May 28, 2023
Feedback: Experimental Feature - Security Analytics General Feedback	10	793	January 3, 2023
Error creating custom rules through the Rule API Security Analytics	2	533	January 9, 2024

Security Analytics Error - 'and' operator not supported

Related topics