Hello,
Just noticed that in the rule "Azure Excessive Signin Logs by Azure Identity" it seems impossible to display the field azure.signinlogs.identity, which is not very user friendly and a waste of time to lookup afterwards..
So 2 questions?
azure.signinlogs.identity in the signal overview?azure.signinlogs.identity not copied to user.name in the azure.signin pipeline?Best regards,
Willem
Hi @willemdh,
Unmapped fields in an alerts index, (e.g. .siem-signals-default) are not displayed in the Detection alerts table, as shown in the screenshot above, until one of the following actions is taken:
manually add a runtime field to the alerts index (for the unmapped field), as illustrated by the runtime fields documentation
manually add a mapping to the alerts index (for the unmapped field) as illustrated by the mapping documentation, and re-index the alert data
Of the two options above, adding a runtime field is preferable, because it doesn't require re-indexing.
To that end, we opened:
An enhancement request to Provide a workflow for adding runtime fields to an alerts index for unmapped fields
An issue to Prevent unmapped fields from being added to the Detection alerts table
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.