Open maximpn opened 5 months ago
Pinging @elastic/security-detections-response (Team:Detections and Resp)
Pinging @elastic/security-solution (Team: SecuritySolution)
Pinging @elastic/security-detection-engine (Team:Detection Engine)
We're working on determining a good UX for supporting unmapped alert index fields. Added this ticket to the relevant epic.
Summary
Alerts table doesn't provide a way to filter by fields without mappings, e.g.
winlog.event_data.ServiceFilename
. At the same time it doesn't allow to add a runtime field forwinlog.event_data.ServiceFilename
complaining that this field exists.Runtime field is required to filter out or search for alerts.
Steps to reproduce
*:*
query to "promote" all source event to alertsStack Management
->Data Views
->Security Data View
->Add Field
orFields
button right above alerts table in grid mode ->Create field
buttonER: It's possible to create a runtime field for
winlog.event_data.ServiceFilename
. AR: Errors appear.winlog.event_data.ServiceFilename
inName
field leads toA field with this name already exists.
errorruntime.winlog.event_data.ServiceFilename
and a scriptleads to
No field found for [winlog.event_data.ServiceFilename] in mapping
.UPDATE: The following script allows to create a runtime field
Additional notes
It's possible to add runtime mapping for
winlog.event_data.ServiceFilename
on a clear instance. In the other words until some data appears in Security Data View which maps to.alerts-security.alerts-default,apm-*-transaction*,auditbeat-*,endgame-*,filebeat-*,logs-*,packetbeat-*,traces-apm*,winlogbeat-*,-*elastic-cloud-logs-*
.In this case filtering at Alerts table works.