Hello,
I was wondering how we can use the 'External Alert' functionality in Kibana SIEM 7.6.0? The documentation is rather sparse (https://www.elastic.co/guide/en/siem/guide/current/detection-engine-overview.html#_signals_and_external_alerts)
How do we make it pick up external alerts? What conditions need to be met for data to be visualised in 'External Alerts'?
Willem
Hi willemdh,
You just have to set ECS categorization field event.kind:"alert". To get full use of the "Stack by" functions on the overview and detections pages, also populate event.module and event.category. To get hyperlinks back to the source of alert, you can populate rule.reference with a URL.
Hope this helps,
Mike P.
Mike,
Actually the way you are describing how it works, is exactly how I was hoping it would work. I already started flagging event.Kind with Alert's some time ago, so this should play out perfect.
We will wait for 7.6.1 however before upgrading our PR cluster, but I will play with this functionality in our QA.
TX!
Willem
Hello,
Just wanted to confirm I got this working. But I noticed that there seems to be no way to define which columns are shown currently?
The default column list is very unlogical..
First of all observer.name isn't even an ecs field. Also I need to observer.hostname to be the first column. I can configure this:
But when reloading the page, everything is reverted to the default column setup? Or am I missing something?
Grtz
Willem
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
