Add data_stream.dataset to security alert mapping

[mbudge]

Hi,

With most data moving to data_stream.dataset, please can you add data_stream.dataset to the security alert mapping?

Also copy the data_stream.dataset from the parent event when it exists.

event.dataset doesn't always exist. We had about 15 open security alerts/rules and only 1 had event.dataset/kibana.alert.original_event.data_stream.dataset set.

It will be easier for analysts to pivot off data_stream.dataset in the alert into logs-* and datastream.dataset to find related events, improving usability.

Currently analysts have to the following 2 fields to locate related events in parent indexes. This is fine for beats but elastic-agent makes more use for data_stream.dataset which is easier to filter on.

• kibana.alert.ancestors.index
• signal.ancestors.index

We've started creating dashboards to visualise the siem alert data. Adding data_stream.dataset field will allow us to create dashboard drill-downs to help analysts pivot into dashboards to view related security events used during the triage process. If you prefix the field with "kibana.alert.original_event" analysts will have to edit the filter to change the field name to data_stream.dataset. This will make the triage process more cumbersome.

Thanks

[elasticmachine]

Pinging @elastic/response-ops (Team:ResponseOps)

[elasticmachine]

Pinging @elastic/security-detections-response (Team:Detections and Resp)

[mbudge]

Please add it to .alerts-security.alerts-mappings component template

data_stream.dataset, type and namespace event.dataset