Hi Everyone,
I created the custom rule to get the alert when there is successful login from public IP for Windows host. The lucene query is as per below.
(winlog.channel:Security AND winlog.event_id:4624 AND (NOT ((winlog.event_data.IpAddress:/.-./) OR (winlog.event_data.IpAddress:(/10../ OR /192.168../ OR /172.16../ OR /172.17../ OR /172.18../ OR /172.19../ OR /172.20../ OR /172.21../ OR /172.22../ OR /172.23../ OR /172.24../ OR /172.25../ OR /172.26../ OR /172.27../ OR /172.28../ OR /172.29../ OR /172.30../ OR /172.31../ OR /127../ OR /169.254../)) OR (((winlog.event_data.IpAddress:/::1/) OR (winlog.event_data.IpAddress:(/[Ff][Ee]80::./ OR /[Ff][Cc]00::./)))))))
The rule works and triggered the alert but it doesn't show the field values(user.name,source.ip,etc.,) in Kibana alert as per below screenshot.
How could I add these fields to show in alert? Looking forward your kind suggestion.
Thank you.