Considerations about default terms agg for Elastic SIEM Detections histogram


Starting from 7.7 the detections histogram in SIEM seems to have an issue with the legend. When 2 digit number get cut off...


Also, I'm seriously wondering why the default aggregation is on signal.rule.risk_score. Imho, this makes no sense and should be changed to

Or at least let our choose for ourselves what is being show on page load. The # of times I had to change this....

The signal.rule.risk_score doesn't seem like the ideal metric to show by default in a SIEM histogram. Personally I seem to be using signal.rule.risk_score as a way to filter for higher risk siem events and focus on those. For example:




Hi @willemdh, thanks for your interest in SIEM and for your feedback!

Regarding the legend, in the course of adding lots of new functionality to our charting we've also changed the look/layout of these legends, and those style issues should be addressed in the upcoming 7.8.0 release.

Regarding the default stack order, you make some great points! Your examples are very useful and will help us choose the most sensible defaults for our users. If those defaults don't work for you, though, we're making an effort to persist many of those user preferences so that you can customize SIEM just how you like it. I've created a general issue to track this effort, and as you can see there a few of these are already underway and should be landing in 7.9.0.

Thanks again for your detailed feedback; please keep it coming!