I'm trying to copy a query generated by a rule as described on this thread, and then convert that JSON to a TOML file for detection as code.
See below the query I've built on Elastic:
When I click on Copy query, this is the output:
{
"aggs": {},
"fields": [
{
"field": "@timestamp",
"format": "date_time"
},
{
"field": "event.created",
"format": "date_time"
},
{
"field": "event.ingested",
"format": "date_time"
}
],
"script_fields": {},
"stored_fields": [
"*"
],
"runtime_mappings": {},
"_source": {
"excludes": []
},
"query": {
"bool": {
"must": [],
"filter": [
{
"bool": {
"should": [
{
"term": {
"event.action": {
"value": "git.clone"
}
}
}
],
"minimum_should_match": 1
}
},
{
"range": {
"@timestamp": {
"format": "strict_date_optional_time",
"gte": "2024-08-16T16:55:01.671Z",
"lte": "2024-08-16T17:00:01.671Z"
}
}
}
],
"should": [],
"must_not": []
}
}
}
There's nothing on copied query that indicates the group and threshold, only the time window. Is there a way to include this?