For my use case I want to understand, is there an API associated, which gives the highlighted fields section in the alerts flyout in Security Plugin in Kibana.
The highlighted fields which gets generated in the alert flyout are dynamic i.e. triggering of different rules as alerts does shows different fields, I want to understand is there an API which can be used to get these fields for a rule or an index where this rules and highlighted field relationship gets stored.
Kindly help with this.
Hey @Sergie,
Here's an explanation of how Highlighted Fields are retrieved then displayed in the Alerts flyout. It might be more information than you asked (if so I apologize), but the logic is actually not straightforward so I figured I'd provide as much as possible here. If you're not interested into understanding how things work in details, you can skip to the end where I answer more directly your question 
The logic to decide the list of highlighted fields to show happens in this function.
As you can see there, we aggregate fields from multiple places:
host.name, user.name, rule.name...event.category field on the alert.event.code field.kibana.alert.rule.type field.To all the fields above, we add custom fields that have been added to the rule. These fields can be added when creating or editing a rule (see the document here). This was added in 8.10 (see this PR). More recently we made some improvements allowing bulk editing for rule highlighted fields (see this PR). And even more recently we've made improvements to the UI of the flyout to allow users to edit custom rule highlighted fields directly from the flyout Overview tab itself (see this PR)! Note that the code in the very last PR is still behind a disabled feature flag. We should be enabling it soon.
Now the last piece of the puzzle resides in the flyout display logic (specifically here) where we filter out all the field/value pairs where the value is empty. The reason being that we do not want to overload the UI with tons of fields with no values to display... This is why, when following the logic above you would expect to see 20+ fields, but most of the time you only see a handful in the UI.
As you can see the logic to retrieve fields isn't straightforward. To answer your question though, to my knowledge there isn't an API, as the logic that decides which fields are shown in the UI is happening on the client side, and the logic is happening when users open the flyout.
Thanks a lot @Philippe_Oberti for this detailed explanation. This is great.
I really appreciate it.
Just a query is there an file or something which you have handy which contains the exact kibana fieldnames categorized based on the different conditions (based on category, code) or else I will start figuring them out through the code.
@Sergie unfortunately I built my previous answer off of the only file that - to my knowledge - has the information, and it's directly in the code... The links I provided above are pointing to the exact lines for each section though, so hopefully that will make it a little bit easier for you?
Granted that these links are valid at the time of writing this message... they might be slightly outdated in a few weeks if we make changes to the code 
For now that's the best I can do, sorry about that!
Thanks @Philippe_Oberti, yeah those are really useful
I was able to traverse through the code and get those fields.
Just one more question
these counts related to alert by ancestry, how these are calculated, is it based on some field/combination of fields from the alert payload ?
Sorry for my late reply @Sergie, I was off yesterday!
So, while the logic to retrieve the count of alerts related by ancestry is not complex per say, it's not straightforward either 
. Let me try to explain the flow:
api/endpoint/resolver/tree api. This is the function where the magic happens on the server side.schema: {
id: 'process.entity_id',
parent: 'process.parent.entity_id',
ancestry: 'process.Ext.ancestry',
name: 'process.name',
agentId: 'agent.id'
}
ancestors: 200,
indexPatterns: [ '.alerts-security.alerts-default', 'logs-*' ],
schema: {
id: 'process.entity_id',
parent: 'process.parent.entity_id',
ancestry: 'process.Ext.ancestry',
name: 'process.name',
agentId: 'agent.id'
},
descendants: 500,
indexPatterns: [ '.alerts-security.alerts-default', 'logs-*' ],
I hope this was not confusing. Please let me know if you have other questions!
Thanks for the response @Philippe_Oberti , it's really great help.
I was off for some days as well so really sorry couldn't reply back soon but this was really helpful again I really appreciate it.
On the similar lines I have last couple of questions.
Under threat intelligence overview tab, how can I calculate the different counts mentioned for threat matches detected and fields enriched with threat intelligence
How are the Prevalence fields are shown in the overview, how this is done.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
