Please tell me, is it possible to take information from the "investigate in timeline" elastic security alert, which is located in the Inspect->Request tab?
Or maybe it is possible to universally convert the request received from /api/detection_engine/signals/search to DSL?
Yes, check for the query key in the Inspect -> Request tab. It is query dsl only.
For example if you see below in timeline tab. It is QueryDSL and can be used as is.
Let me know if you wanted to ask something else.
{
"aggregations": {
"producers": {
"terms": {
"field": "kibana.alert.rule.producer",
"exclude": [
"alerts"
]
}
}
},
"query": {
"bool": {
"filter": [
{
"bool": {
"must": [],
"filter": [
{
"query_string": {
"query": "*"
}
}
],
"should": [],
"must_not": []
}
},
{
"range": {
"@timestamp": {
"gte": "2024-04-18T12:26:40.838Z",
"lte": "2024-07-11T12:26:28.838Z",
"format": "strict_date_optional_time"
}
}
},
{
"match_all": {}
}
]
}
},
"runtime_mappings": {},
"from": 0,
"size": 500,
"track_total_hits": true,
"sort": [
{
"@timestamp": {
"order": "desc",
"unmapped_type": "date"
}
}
],
"_source": false
}
I want to receive this, maybe via api, knowing the _id of the document elastic security alert. Is it possible to receive this somehow not through the Kibana web interface?
Or maybe it’s possible to use the API to get the _id of events that were included in "investigate in timeline"?
I am not 100% sure, I will check and get back to you.
Hello, Jatin, no ideas?
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.