I would like to ask a question about Custom Fields.
I had just added a "Custom Field" inside one of my Fleet Policy, as shown on the below screenshot:
I get the field correctly added to all the logs (and therefore transposed to all the alerts) that are generated, for example, from rules that check inside winlogbeat-* or logs-windows.* index:
The Fleet settings apply to a feature called "processors" which only Beats have. Endpoint doesn't have support for it, but it also has a means to inject simple key-value pairs into documents, see advanced option [platform].advanced.document_enrichment.fields
Thank you for your answer, i confirm that with this field it's possible to add custom fields to Endpoint documents.
However, i'm facing another related issue: with the Fleet custom field i'm able to filter alerts, but the Endpoint document enrichment fields that i add aren't available to use as queries in Security Alerts.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.