Custom event category in correlation rule

Can anyone please explain what does it means

I have Symantec antimalware logs on index pattern logstash-sepm*. In json document I don't have event.category field but I want to create a correlation rule what if the same malware detects on multiple hosts. So I have to first select a value present in event.category like "process" or anything else. I want to declear field "type" as my event.catoegory but it deoesnot work.

Can anyone please explain me how can I define custom event.category here ^

EQL uses the @timestamp and event.category
Yes you can cusotmize fields when running the query using your custom code or from Kibana Dev Console, but from the Kibaba SIEM UI, there is a call to the endpoint :

POST https://localhost:5601/internal/search/eql
  "params": {
    "allow_no_indices": true,
    "index": "my-index",
    "body": {
      "query": ""timestamp_field": "file.accessed" xxxxxx",
      "size": 0
  "options": {
    "ignore": [

So you need to have @timestamp and event.category in your index
Then use only the content of the query

As far as I could understand from the documentation is, we can define custom field like "event_category_field": "file.type" as an event.category if and only if we don't have event.category in the json document.

Here I want to ask how can I define event_category_field through kibana UI. I know kibana UI objective is to run the EQL syntax only but if I am wanting to declear my custom field as event.category how will it be accomplished.

Thank you

Simply you can't from the UI

ok thank you for your reply

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.