I wonder how to handle this kind of alert.
Out of documentation i shall "investigate in timeline" to see what in detail triggered the alert. Well - my timeline is empty?
Also in the alert data there's no more info about the source.
So what am i missing? How can i get the events that triggered this alert?
Hello @GKre
I believe to review this we will have to check the Rule logic & try to search the data in the corresponding index/dataview at the time of alert with the logic applied in the Rule to understand why the alert was triggered & its corresponding events.
In future to make this analysis easy you can try to index this data as part of Action into an Index (alerts-analysis) any name, which could have more data from the {{context}} field as per your requirement.
Thanks!!
Thank you @Tortoise,
if i check your "solution path" we have relevant base information like the host and the time frame in the alert. The "logic" is also available as part of the rule definition.
Would it be possible to automatically create a "query" for this so that i could directly go into investigation without as first step do manual tasks?
This could speed up the process?
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.