Hi @Psyhil, welcome to the community!
From your screenshot, it appears as though your signals were generated from a threshold rule. I suspect this may be the source of confusion, as threshold rules function a bit differently from a regular query rule:
The threshold query itself is effectively a terms aggregation, and so most document-level information is lost. Consequently, the generated signals would be similarly empty. To make the signal more useful, we promote some information about the rule into the signal. This includes things like the timestamp and index of the search, but more importantly it includes:
- the fields/values involved in the rule query, if exact (e.g.
winlog.channel: "Security" )
- the field used in the aggregation, with values from the resulting buckets
I would not expect
user.name to be populated for a threshold rule with the query that you provided, unless
user.name was the threshold field.
However, if you're perhaps using threshold rules as a means to generate rules from sequences of events (which may be the case given your rule name ), I would highly recommend checking out the Event Correlation rule type that was introduced in 7.10.
I hope this helps!