How to modify overview tap in elastic security app

I set some IPS logs into ECS format using Fluentd and then delivered them to elasticsearch.

And you can see that the log is coming in from kibana.

The problem is that Elastic Security's Overview tap doesn't show the number of incoming events in Network events.

It is checked in the events at the top, but the number of events cannot be checked in the host events and network events below.

I'm not going to use beats. However, it seems that you can only check specific equipment events coming to beats.

How can I express the number of events of different equipment?

Hi @111387!

By default, the Security solution uses the following Elasticsearch indices specified by the securitySolution:defaultIndex setting in Kibana Advanced settings:

apm-*-transaction*, auditbeat-*, endgame-*, filebeat-*, logs-*, packetbeat-*, winlogbeat-*

You may add additional ECS-conforming indices to the setting shown in the screenshot above.

After adding the indices to the securitySolution:defaultIndex setting, they will be represented in the Events widget shown in the screenshot you provided, however they will not be shown in the Network events widget on the Overview, because that widget counts events from specific agent.types, i.e. agent.type: "auditbeat".

We're always open: Inspect the queries that power the Security app

Tip: You may hover over widgets throughout the Security app and click Inspect to view the Elasticsearch query that powers the widget.

For example, hover over the Network events widget and click the Inspect button:

the Request tab shown in the screenshot below will display the Elasticsearch query used to retrieve the counts shown in the Network events widget:

Thanks for your question!

i know to bring results through Inspect Network events Ruquests.

But is it possible for me to edit the Inspect Network events Ruquests?

Thanks again for your question and feedback @111387! It's not possible to customize the query in the current implementation, so I created the following Github issue to track this feature as part of a refreshed design of the Host events and Network events:

I linked the issue above to this post. Please feel free to comment directly in that issue or in this post with any additional details that might be relevant to your specific use case, as this may help inform the new design.