Include a custom non-ECS field in alerts

jcruz · January 17, 2024, 1:30pm

Hello guys!

We have some indices with enriched custom fields that are not ECS compatible, as they are business related information. We would like to have those fields in the alerts generated from Detection-Rules, so we can aggregate those alerts based on those business information.

It there any way to include those fields in the alerts events?

I have looked for a way to implement it and I didn't find any solution, just some information that ECS fields are included automatically.

Thanks in advance!

Roberto!

leandrojmp · January 17, 2024, 2:08pm

How are you creating the rules?

I have multiple rules that use non ECS fields without any issue.

system · February 14, 2024, 2:08pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Adding a custom field in alerts without defining in query Elastic Security detection-rules	13	3347	November 4, 2022
Elastic Detection Actions - any way to add fields? SIEM	2	400	April 25, 2022
Dec 4th, 2020: [EN] Validate Elastic Common Schema (ECS) fields using Security Detection Rules Advent Calendar ecs-elastic-common-schema	1	1737	January 1, 2021
Alert is not populating the right fields Elastic Security	2	176	September 28, 2022
Custom Rules not working SIEM elastic-stack-alerting	8	1468	January 13, 2021

Include a custom non-ECS field in alerts

Related topics