Detection Rules Column Data Missing

Elastic Security SIEM
1

Good Day!

I have added some custom rules in elastic and running into a problem where fields like host.name, Source IP address and destination IP address are missing in detections UI.
I tried to fiddle with the columns and event renders but did not help.
If I run the query in kibana, then it has the necessary fields but not in the detections UI as below

image
image1762×314 56.3 KB

Is there a way I can fix this?

The custom rule I am running is
signal.rule.query: "winlog.channel:"Security" AND winlog.event_id:("529" OR "4625")

Thank You in advance!
Cheers

2

Hi @Psyhil, welcome to the community!

From your screenshot, it appears as though your signals were generated from a threshold rule. I suspect this may be the source of confusion, as threshold rules function a bit differently from a regular query rule:

The threshold query itself is effectively a terms aggregation, and so most document-level information is lost. Consequently, the generated signals would be similarly empty. To make the signal more useful, we promote some information about the rule into the signal. This includes things like the timestamp and index of the search, but more importantly it includes:

  • the fields/values involved in the rule query, if exact (e.g. winlog.channel: "Security" )
  • the field used in the aggregation, with values from the resulting buckets

I would not expect user.name to be populated for a threshold rule with the query that you provided, unless user.name was the threshold field.

However, if you're perhaps using threshold rules as a means to generate rules from sequences of events (which may be the case given your rule name :wink:), I would highly recommend checking out the Event Correlation rule type that was introduced in 7.10.

I hope this helps!

3

Thank you Ryland, You got it absolutely right.
It is a threshold rule and we are using winlog.event_data.TargetUserName field for the threshold field hence that explains why the user.name is empty but I can add the threshold field as a column so some of the part works.

Have been fiddling around with EQL but have not been successful so far, I guess will just have to play more with EQL.

Thanks again for the help on this.

Kind Regards!

1 Like
4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.