Trying to create anolmaly detector keep getting error 500 status exception

OpenSearch Dashboards
1

Trying to create anomaly detector and no matter the query keep getting error: 500 reason: status_exception

Example POST:

POST _plugins/_anomaly_detection/detectors
{
  "name": "powershell_execution_detector",
  "description": "Detects anomalies in PowerShell executions",
  "time_field": "timestamp",              
  "indices": ["wazuh_agents_*"],
  "feature_attributes": [
    {
      "feature_name": "powershell_exec_count",
      "feature_enabled": true,
      "aggregation_query": {
        "powershell_exec_count": {
          "filter": {
            "bool": {
              "must": [
                { "term": { "data_win_system_eventID": "4688" } }
              ],
              "should": [
                { "regexp": { "data_win_eventdata_newProcessName": ".*powershell\\.exe" } },
                { "regexp": { "data_win_eventdata_newProcessName": ".*pwsh\\.exe" } }
              ],
              "minimum_should_match": 1,
              "must_not": [
                { "regexp": { "data_win_eventdata_subjectUserName": ".*\\$$" } }
              ]
            }
          }
        }
      }
    }
  ],
  "detection_interval": {
    "period": {
      "interval": 10,
      "unit": "MINUTES"
    }
  },
  "window_delay": {
    "period": {
      "interval": 1,
      "unit": "MINUTES"
    }
  }
}

Returns Error:

{
  "error": {
    "root_cause": [
      {
        "type": "status_exception",
        "reason": "Validation failed for feature(s) of detector powershell_execution_detector Exceptions: [Feature has an invalid query causing a runtime exception: powershell_exec_count]"
      }
    ],
    "type": "status_exception",
    "reason": "Validation failed for feature(s) of detector powershell_execution_detector Exceptions: [Feature has an invalid query causing a runtime exception: powershell_exec_count]"
  },
  "status": 500
}

I have verified all fields exist and the timestamp field is date and the others are keywords

        "data_win_eventdata_timestamp": {
          "type": "date"
        },
        "data_win_system_eventID": {
          "type": "keyword"
        },
        "data_win_eventdata_newProcessName": {
          "type": "keyword"
        },
        "data_win_eventdata_subjectUserName": {
          "type": "keyword"
        },

Running POST _plugins/_anomaly_detection/detectors/_validate and _validate/model against the same POST statement above returns

{
  "detector": {
    "feature_attributes": {
      "message": "Feature has an invalid query causing a runtime exception: powershell_exec_count",
      "sub_issues": {
        "powershell_exec_count": "Feature has an invalid query causing a runtime exception"
      }
    }
  }
}

Running the query alone returns results as expected

GET wazuh_agents_*/_search
{
  "query": {
    "bool": {
      "must": [
        { "term": { "data_win_system_eventID": 4688 } }
      ],
      "should": [
        { "wildcard": { "data_win_eventdata_newProcessName": "*powershell.exe*" } },
        { "wildcard": { "data_win_eventdata_newProcessName": "*pwsh.exe*" } }
      ],
      "minimum_should_match": 1,
      "must_not": [
        { "regexp": { "data_win_eventdata_subjectUserName": ".*\\$$" } }
      ]
    }
  }
}

Returns

"took": 27,
  "timed_out": false,
  "_shards": {
    "total": 15,
    "successful": 15,
    "skipped": 0,
    "failed": 0
  },
  "hits": {
    "total": {
      "value": 10000,
      "relation": "gte"
    },
    "max_score": 3.1283467,

Any help identifying what i’m doing wrong would be greatly appreciated. Thank you in advance for taking the time to review my post.