[Alerts][Non-ECS] Improve alert flows non-ECS mapped field UX

yctercero commented 8 months ago

Describe the feature:

There's been a number of issues filed around the user experience for interacting with non ECS fields in our flows. In the UI we allow users to filter and search using non-ECS fields, but doing so breaks the alerts table as our APIs do not support this.

Some issues that have been filed related to this issue - #136351, #166168.

After discussing our options, a proposed solution is as follows:

If a field is unmapped:
- do not show action options to filter field in/out
- show a new option to add the field as a runtime field

This way, we are guiding the user towards a solution, not simply blocking or taking away functionality.

Areas that would need updating:

Hover actions in alerts table, alerts details flyout

elasticmachine commented 8 months ago

Pinging @elastic/security-threat-hunting (Team:Threat Hunting)

elasticmachine commented 8 months ago

Pinging @elastic/security-detections-response (Team:Detections and Resp)

elastic / kibana

[Alerts][Non-ECS] Improve alert flows non-ECS mapped field UX #171059