Guys I am trying to fetch some data from the alert's index ".siem-signals-default-*"
I am trying to retrieve just the "alert id", "alert name", "ancestor index", "ancestor ID", and "group index"
I used the below query:
`query = {
"_source": [
"signal.rule.name",
"signal.rule.query",
"signal.ancestors.id",
"signal.ancestors.index",
"signal.ancestors.type",
"signal.group"],
"query": {
"term": {"signal.status": "open"}
}
}`
below is a sample output:
{'_index': '.siem-signals-default-000001', '_type': '_doc', '_id': 'db0b57ee7d3e179e03cbd4d3b1ea3e7256921a2c1baa29cbd37c8656c037b6d8', '_score': None, '_source': {'signal': {'rule': {'query': 'sequence by host.id with maxspan = 1m\n[ network where event.type: ("connection", "protocol") and network.protocol: "HTTP" and\nserver.port == "5985" and network.direction in ("ingress") and query: ("POST /wsman") ]\n[process where event.type in ("start", "process_started", "info", "end") and powershell.command.name: "Get-Service"]', 'name': 'GET SERVICES ALERT!!'}, 'ancestors': [{'index': '.ds-packetbeat-8.0.0-2022.02.17-000001', 'id': 'O3SpTX8BwcmlMA-NIMfH', 'type': 'event'}], 'group': {'index': 0, 'id': 'fa2c20c10d2b4e6f188255cd8cdfe3dd86f72fcd12cebbdc6d7371e32a83eb3e'}}}, 'sort': [1]}
I have been stuck here for 2 weeks. I don't want to retrieve the index, type, _source, ancestor type, group id, and sort.
please help