Describe the issue:
While working with ECS field mappings and index templates, I noticed that creating a detector automatically generates a component template based on the index mapping. However, this component template often has empty mappings, which prevents detections from triggering. But I have added the ECS mapping to the index template.
In contrast, when I manually map the fields (especially ECS-compliant ones) and then create a detector for the same index, the component template is correctly populated, and detections start working as expected.
I’m trying to understand:
-
Why OpenSearch creates a component template during detector creation.
-
How this template is used by the detector to analyze incoming events.
-
Why detections fail when the auto-generated component template lacks proper mappings.
Any insights or best practices would be appreciated!
Configuration:
- Create an index template for a specific index pattern.
- Add ECS field mappings directly within the index template (not using a separate component template).
- Create a detector and point it to the index that uses the above index template.
- Do not manually add any field mappings during the detector creation process.
- After detector creation, verify that the detector recognizes the ECS field mappings from the index.
- Observe that a component template is automatically created by the detector based on the index configuration.
- Check the auto-generated component template and notice that it contains no field mappings.
Relevant Logs or Screenshots:
GET _plugins/_security_analytics/mappings?index_name=test01
{
"test01": {
"mappings": {
"properties": {
"winlog": {
"properties": {
"event_id": {
"type": "alias",
"path": "eventName"
}
}
},
"timestamp": {
"type": "alias",
"path": "time"
},
"process": {
"properties": {
"command_line": {
"type": "alias",
"path": "log.attributes.CommandLine"
}
}
}
}
}
}
}
