Missing "Custom Fields" in alerts generated from "endpoint" indexes

Hello,

I would like to ask a question about Custom Fields.

I had just added a "Custom Field" inside one of my Fleet Policy, as shown on the below screenshot:

I get the field correctly added to all the logs (and therefore transposed to all the alerts) that are generated, for example, from rules that check inside winlogbeat-* or logs-windows.* index:

image729×409 22.2 KB

The issue i'm facing is that the field isn't added on the logs (and alerts) that are inside the logs-endpoint.* indexes:

image743×419 22.3 KB

image734×165 4.04 KB

Am i doing something wrong?

Thank you

The Fleet settings apply to a feature called "processors" which only Beats have. Endpoint doesn't have support for it, but it also has a means to inject simple key-value pairs into documents, see advanced option
[platform].advanced.document_enrichment.fields

image1328×382 46.9 KB

Hello @lesio,

Thank you for your answer, i confirm that with this field it's possible to add custom fields to Endpoint documents.

However, i'm facing another related issue: with the Fleet custom field i'm able to filter alerts, but the Endpoint document enrichment fields that i add aren't available to use as queries in Security Alerts.

May be caused by some missing index mapping?

I haven't tested this, but if you add these custom fields to index mappings does that fix it?

Actually i fixed the issue by creating a new Field from the Alerts table

image942×564 40.8 KB

Now i can filter every alert, generated either from Beats or Endpoint.

Thank you everyone, problem fixed.