How to find all SIEM rules where field "timestampOverride" is not equal to "event.ingested"?

dsv · February 2, 2024, 10:29am

Hey everyone
8.12.0

Trying to find SIEM detection rules where field "timestampOverride" is not equal to "event.ingested"

GET kbn:/api/alerting/rules/_find?search_fields=params.timestampOverride&search=event.ingested
is worked.

How to find all other rules where field "timestampOverride" is not equal to "event.ingested"?

The simple filter also works

GET kbn:/api/alerting/rules/_find?filter=alert.attributes.params.timestampOverride:event.ingested

But

GET kbn:/api/alerting/rules/_find?filter
 { "bool": 
    { "must_not": [
      { "term":
        {"params.timestampOverride": "event.ingested"}
      }
    ]
    }
 }

shows all rules (not filtered) as a JSON

dsv · February 27, 2024, 10:10am

Any ideas?

system · March 26, 2024, 10:11am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Unable to get rule triggered SIEM	7	905	December 8, 2022
SIEM detection rule apply for difference time SIEM	2	330	October 23, 2020
Elastic detection rules fail Elastic Security detection-rules	2	781	June 30, 2023
SIEM detection signals not showing up SIEM	9	1170	August 31, 2020
No data showing in SIEM Detection tab SIEM detection-rules	5	707	February 8, 2022

How to find all SIEM rules where field "timestampOverride" is not equal to "event.ingested"?

Related topics