[Defend Workflows] Rule Preview Graph Lens Not working for the Custom SentinelOne Rule

[sukhwindersingh-qasource]

Describe the bug:

• Rule Preview Graph Lens Not working for the Custom SentinelOne Rule

Build Details:

VERSION: 8.16.0 - Snapshot
BUILD: 78109
COMMIT: 31bd6acae7e84e686c7b1264967b577c1ef0f20d

Login Credentials

• https://p.elstc.co/paste/SPcH7ZP3#XzwL6u0bWUAtEy6EARq71VtAvBdqTzxdWCNBFGvHUoc

Preconditions

• Kibana should be running.
• Create the Sentinel custom rule with these configurations
  • For index patterns, add logs-sentinel_one.alert*
  • For query, add observer.serial_number:*
• Sentinel Alerts should be generated in the last 1 hour

Steps to Reproduce

• Navigate to the Sentinel rules edit settings
• Scroll to the rule preview section
• Select Timeframe as 1 hour
• Click on the refresh button
• Observe Rule Preview Graph Lens Not working for the Custom SentinelOne Rule and showing The "event.category" field can not be used for filtering. although Event.category field is present in the Alerts Data

Actual result

• Rule Preview Graph Lens Not working for the Custom SentinelOne Rule

Expected Result

• Rule Preview Graph Lens Should be working for the Custom SentinelOne Rule

Whats working

• It is working fine for the endpoint rule and the other custom rules which are using the elastic agents data

Screen-cast

https://github.com/user-attachments/assets/8849512c-3ec3-4fe2-be5a-ceb2190b9dec

Logs

• N/A

[elasticmachine]

Pinging @elastic/security-defend-workflows (Team:Defend Workflows)

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[sukhwindersingh-qasource]

@muskangulati-qasource , Kindly review this Thanks!!

[muskangulati-qasource]

Reviewed and assigned to @dasansol92

[elasticmachine]

Pinging @elastic/security-detection-engine (Team:Detection Engine)