Attribute detection to original doc

Elastic Security
1

Is there a way to include the original _id of the doc that triggered an alert in the metadata of a detection? When working IR, we would like to efficiently trace an alert to an event.

I can create a filter based off of several attributes of the detection (host, imphash, timestamp, etc) and eventually narrow it down to a single event but in an effort to orchestrate IR, it would make more sense to search for the originating _id of the doc.

Am I missing something or do we need to approach this differently?

2

Hi @Samsquantch, you should have that information available to you in the detection underneath:

signal.parent

and

signal.ancestors

Screen Shot 2021-01-18 at 11.49.01 AM
Screen Shot 2021-01-18 at 11.49.01 AM4556×1002 263 KB
Screen Shot 2021-01-18 at 11.49.16 AM
Screen Shot 2021-01-18 at 11.49.16 AM4632×888 244 KB

They have information back to the parent/original _id of the doc and index information. One important item of note is that not all detections are going to have this fidelity. For example thresholds will not have it and machine learning does not have it. If we can trace it back then we will trace it back in those areas, however.