Just noticed that in the rule "Azure Excessive Signin Logs by Azure Identity" it seems impossible to display the field azure.signinlogs.identity, which is not very user friendly and a waste of time to lookup afterwards..
Unmapped fields in an alerts index, (e.g. .siem-signals-default) are not displayed in the Detection alerts table, as shown in the screenshot above, until one of the following actions is taken:
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.