Starting from 7.7 the detections histogram in SIEM seems to have an issue with the legend. When 2 digit number get cut off...
Also, I'm seriously wondering why the default aggregation is on
signal.rule.risk_score. Imho, this makes no sense and should be changed to
Or at least let our choose for ourselves what is being show on page load. The # of times I had to change this....
signal.rule.risk_score doesn't seem like the ideal metric to show by default in a SIEM histogram. Personally I seem to be using
signal.rule.risk_score as a way to filter for higher risk siem events and focus on those. For example: