Empty column "Last failed source"

See also attached screenshot:
I would expect IP-adresses in the column "Last failed source". This expectations is based on the timestamp in the column "Last failure".

Since this is not the case: what would it take to make that happen?

I'm running ES with Kibana version 7.6.1.; including the respective Auditbeat and Packetbeat shippers.

Hi, this is a question more about the data collection than Kibana (which only displays what data there is in ES).
You should try asking this in the Beats sub-forum.

Thank you for the response Marius.

While a valid possibility in itself, it is not the case here.

The data seems to be there - I have checked this with Discovery on the index Auditbeat => this is the data source for this part.

However, I'm not aware of something that can be used for a crosscheck => is Kibana reading from the same tables as Auditbeat is writing to.

I have a similar issue with Packetbeat and TLS: there seems to be a mismatch in the datascheme.

Ah, I just realized now that you are in the SIEM app. I apologize, at first sight it seemed like a table created in Discover. It might be the same issue, I'll ping the SIEM team about it.

Thanks Marius.
Let me know if there is anything I can do to help.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.