7.12.1 threshold rule, group by field within actions

Hi,

With 7.12.1 i can see our group by field appearing in the detection event, in this case it is host.name. I have tried pushing through within the actions but it is still empty.

I am trying to access this data in several ways

{{context.alerts.0.host.name}}

{{#context.alerts}} 
host.name: {{host.name}}
{{/context.alerts}}


{{context.alerts}}

I dumped out the full event with context.alerts and pumped the output to a json editor and it does not look as though host.name is nested - "host.name":"somecomputer",

i am using host.name within actions in normal detections successfully.

Thanks
Phil

Hi @probson, thanks for your question! You need a second loop to iterate over the threshold_result terms and pick out the matching field that you're interested in (or print them all). Since threshold signals are synthetic signals over a group of events, they don't necessarily look exactly like the source events. Fields that are included in the "group by" set can be found in the threshold_result.terms object.

You can see an example in the issue here that is fixed in 7.12.1: [Security Solution][Detections] Threshold signal fields are not available in Actions context · Issue #94699 · elastic/kibana · GitHub

Hope this helps!
Madi

2 Likes

@madi

Do you know if the fields will be directly accessible in the future? In my example, host.name which is one of the group fields is available in the context.alerts but its output is not ECS compliant

Thanks
Phil

@probson You mean that it's not ECS-compliant because it's not located in the host.name top-level field? I believe we could copy the data into the original location for fields that have been grouped by. I don't know of any plans to do so, but I see no reason why we couldn't.

@madi ,

Thats it, as of 7.12.1 the group by fields look to be copied from the signal.threshold_result.terms "field":"host.name","value":"somecomputer" to the original field name of host.name but host.name within the action output is not ECS compliant

@probson We will consider implications of adding them back as part of: [Security Solution][Detections] Migrating Detections to the new .alerts indices · Issue #100103 · elastic/kibana · GitHub ... in the meantime, I've made a docs update to help address this concern: [DOCS] Add documentation about creating Threshold Rule actions by madirey · Pull Request #687 · elastic/security-docs · GitHub.

Thanks so much!
Madi

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.