I have added some custom rules in elastic and running into a problem where fields like host.name, Source IP address and destination IP address are missing in detections UI.
I tried to fiddle with the columns and event renders but did not help.
If I run the query in kibana, then it has the necessary fields but not in the detections UI as below
From your screenshot, it appears as though your signals were generated from a threshold rule. I suspect this may be the source of confusion, as threshold rules function a bit differently from a regular query rule:
The threshold query itself is effectively a terms aggregation, and so most document-level information is lost. Consequently, the generated signals would be similarly empty. To make the signal more useful, we promote some information about the rule into the signal. This includes things like the timestamp and index of the search, but more importantly it includes:
the fields/values involved in the rule query, if exact (e.g. winlog.channel: "Security" )
the field used in the aggregation, with values from the resulting buckets
I would not expect user.name to be populated for a threshold rule with the query that you provided, unlessuser.name was the threshold field.
However, if you're perhaps using threshold rules as a means to generate rules from sequences of events (which may be the case given your rule name ), I would highly recommend checking out the Event Correlation rule type that was introduced in 7.10.
Thank you Ryland, You got it absolutely right.
It is a threshold rule and we are using winlog.event_data.TargetUserName field for the threshold field hence that explains why the user.name is empty but I can add the threshold field as a column so some of the part works.
Have been fiddling around with EQL but have not been successful so far, I guess will just have to play more with EQL.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.