I am trying to set up a new integration for an EDR that is not listed on the Kibana integrations yet, in order to set up the external alerts for that EDR i am adding the event.kind to alert but its not showing up in the external alerts session, i just set the field on the json, do i need to do something else to set the ECS, here is an example of the JSON document.
{
"info":"None",
"customer_id":"xxx",
"created_at":"2022-07-28T13: 02: 50.574Z",
"severity":"medium",
"event_service_event_id":"xxx",
"threat":"PsExec",
"threat_cleanable":false,
"when":"2022-07-28T13: 01: 18.000Z",
"location":"xxx-xxx",
"id":"xxx",
"type":"Event: :Endpoint: :Threat: :PuaDetected",
"description":"PUA detectada: 'PsExec' at 'C:\\ProgramData\\xxx\\xxx\\xxx\\apps\\xxx\\xxx\\xxx'",
"source":"xxx-xxx\\xxx-xxx",
"data":{
"created_at":1659013370574,
"endpoint_id":"xxx-xxx",
"endpoint_java_id":"xxx-xxx",
"endpoint_platform":"windows",
"endpoint_type":"computer",
"event_service_id":"xxx",
"inserted_at":1659013370574,
"source_info":{
"ip":"x.x.x.x"
},
"threat_id":"62b61e2e88e3b414831e22c5",
"threat_status":"NOT_CLEANUPABLE",
"user_match_id":"xxx",
"user_match_uuid":"xxx"
},
"event":{
"kind":"alert",
"category":[
"intrusion_detection",
"network"
]
},
"host":{
"ip":"x.x.x.x",
"name":"PCxxx"
}
}