How to change the External alert trend request

Guys, I need to change the information on the External alert trend dashboard, however, I can't find the place to change the requests. The image shows what I want to change.

Hi @wsouza Welcome to the community. (and by the way we are not all guys :slight_smile: )

We are going to need a bit more information.

What version of stack?

Which Module, Dashboard / Visualization?

Or is this one of the built in app like the Security Analytics App.. Perhaps a screen shot would help.

What do you want to change it to?

If this is the security app, you will probably need to map your data to the correct ECS field not change the underlying app.

If it a dashboard under the Dashboards navigation..
In general you can edit any visualization on a Dashboard by Clicking the edit button top right.

Then click on the gear on the specific visualization and select edit.

Depending on the type of visualization Lens, TSVB etc there would be different options to make changes.

Also you can always just create your own visualization.

Ahh I think that is from this Built In App / Dashboard

For the Security App you will need to follow the Security ECS (Elastic Common Schema) for you fields, you can not change the Built In App

See Here

and specifically here

These fields must be mapped to display event and external alert data in the Elastic Security app:

Event and external alert fields

  • @timestamp
  • event.kind

For external alerts, the event.kind field value must be alert .

To do this you simply need to map / set the event.kind to alert

Depending on how you are ingesting these aleert we could probably help with how to set that ... ingest pipeline, logstash, simply set in the REST API etc.

Hi, @stephenb!. I had uploaded the dashboard screen, but I don't think it's visible here on the forum. In fact, it would be that same panel you mentioned.

In mine, event.kind is already as "alert", however, my question is how to generate this type of event.

For monitoring my hosts, I use the beats: winlogbeat, metricbeat, filerbeat and packetbeat. In another environment, I use the Elastic Security Agent and manage it through the fleet server.

In the created indexes, none match the event.kind field: "alert". That's what I find strange. That's why I wanted to change the settings of the aforementioned dashboard to see if it populated with other events.

I'll keep trying some other possibilities to see if I'm successful.

Ok so that is a completely different question :slight_smile: you will need to used the Detections Etc to create Alerts etc .

I would create a new thread with the Title something Like

How do I create External Alerts in the Security App

and the state the sources you are ingesting etc.

Here are the docs on Detections and Alerts

Here is the docs on Generating External Alerts from other sources I believe there is a preconfigured rule that you would need to enable etc...

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.