Hi everyone,
I'm try to create a personalize rule with the threshold parameter detection. I am using a handmade index with personal fields. This is the mapping:
{
"login-000001" : {
"mappings" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"source" : {
"properties" : {
"@timestamp" : {
"type" : "date"
},
"dispositivo" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"event" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"geo" : {
"properties" : {
"ip" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"location" : {
"type" : "geo_point"
},
"name" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
},
"proc" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"status" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"substatus" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
},
"timestamp" : {
"type" : "date"
},
"usuario" : {
"type" : "text",
"fields" : {
"keyword" : {
"type" : "keyword",
"ignore_above" : 256
}
}
}
}
}
}
}
}
}
I am trying to detect the fail events from each user using the field "source.usuario.keyword" with threshol > 2. But in the result field signal.threshold.result.value appears empty, I only collect the count of the signal, but not the user who made more than 2 fail events.
Any help please? Best regards.