Include a custom non-ECS field in alerts

Hello guys!

We have some indices with enriched custom fields that are not ECS compatible, as they are business related information. We would like to have those fields in the alerts generated from Detection-Rules, so we can aggregate those alerts based on those business information.

It there any way to include those fields in the alerts events?

I have looked for a way to implement it and I didn't find any solution, just some information that ECS fields are included automatically.

Thanks in advance!

Roberto!

How are you creating the rules?

I have multiple rules that use non ECS fields without any issue.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.