How to find all SIEM rules where field "timestampOverride" is not equal to "event.ingested"?

dsv · February 2, 2024, 10:29am

Hey everyone
8.12.0

Trying to find SIEM detection rules where field "timestampOverride" is not equal to "event.ingested"

GET kbn:/api/alerting/rules/_find?search_fields=params.timestampOverride&search=event.ingested
is worked.

How to find all other rules where field "timestampOverride" is not equal to "event.ingested"?

The simple filter also works

GET kbn:/api/alerting/rules/_find?filter=alert.attributes.params.timestampOverride:event.ingested

But

GET kbn:/api/alerting/rules/_find?filter
 { "bool": 
    { "must_not": [
      { "term":
        {"params.timestampOverride": "event.ingested"}
      }
    ]
    }
 }

shows all rules (not filtered) as a JSON

dsv · February 27, 2024, 10:10am

Any ideas?

system · March 26, 2024, 10:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.