We get alerts where key fields like host.name and process.name are missing. Looking at a rule with this issue - "Potential Malware-Driven SSH Brute Force Attempt", which is a threshold rule, all the requirements of the rule are fulfilled, the information in the events seems to be where it’s supposed to.
We’re running v9.2.3 but looking back we see alerts with the same issue on v9.1.4, alerts on earlier versions (8.x) on the same rule have information in the key fields. Trying to figure out what might cause this, i e misconfiguration or overlooked action prior to upgrading, but can’t figure it out so any input to help us resolve it is most welcome!
If this is a threshold rule, then what you’re likely experiencing is this documented behavior: if the field in question is not part of the grouping/aggregation, then it will not be present on the alert.
However, if you’re referring to the prebuilt ES|QL rule, that should be collecting e.g. host.name explicitly as shown in the query. As far as I’m aware, that rule has only existed as an ES|QL rule, so I’m not confident which rule you’re referring to.
Luckily, those alerts you mentioned should contain copies of the rule configuration that produced them, so there may be some clues in there.
If this is not the general “threshold rules/aggregated fields” issue, can you please share some (redacted) info about the alerts in question:
Redacted alert objects (demonstrating both “good” and “bad” behavior)
Redacted source events (containing the fields you were expecting)
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.