Problem with the display of the hostname in Kibana alerts, despite its definition in ‘Custom Highlighted Fields’

Kuly2Fraise · December 11, 2024, 1:31pm

Hello,

I'm having a problem with alerts in Kibana. I defined the hostname as a custom field in the ‘custom highlighted fields’ in the definition of my alert rule, but the hostname is not displayed in the generated alert.

Here are the steps I took:

I configured my alert rule with custom highlighted fields to include the hostname. (using filebeat-* index)
I created an alert that should include this hostname.
However, when the alert is triggered, the hostname does not appear in the alert details.

I was wondering if anyone has encountered a similar problem or if there is a reason why the hostname is not included in the alert, despite its presence in the rule configuration.

Rule description :

Alert description :

Thanks in advance for your feedback!

Nikita_Khristinin · December 11, 2024, 3:11pm

Hi!
Does the alert itself has hostname field? Can you see it in the Table or JSON tab?

If you can share copy of alert it will be great

Kuly2Fraise · December 12, 2024, 2:37pm

Hello,

Below is a sample JSON document from my agent, containing the field host.name:

{
  "_index": ".ds-filebeat-9.0.0-2024.12.06-000002",
  "_id": "r1_ctZMBHKffx07ujZ9j",
  "_version": 1,
  "_score": 0,
  "_source": {
    "@timestamp": "2024-12-11T13:15:43.214Z",
    "agent": {
      "type": "filebeat",
      "version": "9.0.0",
      "ephemeral_id": "ed18c6ea-1919-4590-a503-c852ca6f3e94",
      "id": "59d71abc-5da2-4ba8-a21b-a779a9d8e026",
      "name": "MK5-RSU"
    },
    "log": {
      "file": {
        "path": "/home/user/workspace/traffic_light_state.json"
      },
      "logger": "traffic_light_state",
      "origin": {
        "file": {
          "line": 52,
          "name": "print-traffic-light-state.py"
        },
        "function": "<module>"
      },
      "original": "Traffic light state",
      "level": "info",
      "offset": 3055554
    },
    "event": {
      "MID": "4f:76:d4:4c:8c:ab",
      "light state": "dark",
      "timestamp": "2024-12-11T13:15:43.209603",
      "wlan-src": "00:0d:41:12:19:78"
    },
    "process": {
      "name": "MainProcess",
      "pid": 6963,
      "thread": {
        "name": "MainThread",
        "id": 1996055312
      }
    },
    "ecs": {
      "version": "1.6.0"
    },
    "message": "Traffic light state",
    "input": {
      "type": "log"
    },
    "host": {
      "architecture": "armv7l",
      "os": {
        "codename": "focal",
        "type": "linux",
        "platform": "ubuntu",
        "version": "20.04.5 LTS (Focal Fossa)",
        "family": "debian",
        "name": "Ubuntu",
        "kernel": "4.14.98-00009-g815aa81f1"
      },
      "id": "4db9660272c5a45f2a85d922631a7952",
      "containerized": false,
      "name": "mk5-rsu",
      "ip": [
        "160.98.26.181",
        "fe80::6e5:48ff:fe10:c924",
        "10.1.1.3",
        "fe80::b0b0:9dff:fed6:299e"
      ],
      "mac": [
        "00-44-4F-54-33-00",
        "00-44-4F-54-34-00",
        "02-24-31-2D-A2-39",
        "04-E5-48-10-C9-24",
        "04-E5-48-10-C9-25",
        "0A-3F-71-A3-3F-E3",
        "12-BA-D7-BC-A7-C6",
        "2E-FB-69-24-41-BE",
        "32-24-5A-72-23-AA",
        "36-85-E7-26-0C-CD",
        "4A-3A-1B-E6-61-B3",
        "4A-5A-71-2B-EE-34",
        "4E-8C-5A-A6-D2-90",
        "62-06-40-44-30-A7",
        "6E-DB-5C-1E-72-EA",
        "8A-44-CF-75-9D-33",
        "8A-CA-87-0A-CB-C9",
        "A6-F7-72-FC-58-9C",
        "B2-B0-9D-D6-29-9E",
        "BA-32-AF-D2-D4-72",
        "BA-CA-9B-D6-49-B3",
        "CE-42-F6-F9-9C-35",
        "DE-ED-D7-61-2B-F1",
        "E2-27-6A-43-AF-2D",
        "E6-17-C9-45-E3-1E",
        "EA-59-31-68-D0-D9"
      ],
      "hostname": "MK5-RSU"
    }
  },
  "fields": {
    "process.name.text": [
      "MainProcess"
    ],
    "host.os.name.text": [
      "Ubuntu"
    ],
    "host.hostname": [
      "MK5-RSU"
    ],
    "event.light state": [
      "dark"
    ],
    "process.pid": [
      6963
    ],
    "host.mac": [
      "00-44-4F-54-33-00",
      "00-44-4F-54-34-00",
      "02-24-31-2D-A2-39",
      "04-E5-48-10-C9-24",
      "04-E5-48-10-C9-25",
      "0A-3F-71-A3-3F-E3",
      "12-BA-D7-BC-A7-C6",
      "2E-FB-69-24-41-BE",
      "32-24-5A-72-23-AA",
      "36-85-E7-26-0C-CD",
      "4A-3A-1B-E6-61-B3",
      "4A-5A-71-2B-EE-34",
      "4E-8C-5A-A6-D2-90",
      "62-06-40-44-30-A7",
      "6E-DB-5C-1E-72-EA",
      "8A-44-CF-75-9D-33",
      "8A-CA-87-0A-CB-C9",
      "A6-F7-72-FC-58-9C",
      "B2-B0-9D-D6-29-9E",
      "BA-32-AF-D2-D4-72",
      "BA-CA-9B-D6-49-B3",
      "CE-42-F6-F9-9C-35",
      "DE-ED-D7-61-2B-F1",
      "E2-27-6A-43-AF-2D",
      "E6-17-C9-45-E3-1E",
      "EA-59-31-68-D0-D9"
    ],
    "log.logger": [
      "traffic_light_state"
    ],
    "host.ip": [
      "160.98.26.181",
      "fe80::6e5:48ff:fe10:c924",
      "10.1.1.3",
      "fe80::b0b0:9dff:fed6:299e"
    ],
    "agent.type": [
      "filebeat"
    ],
    "host.os.version": [
      "20.04.5 LTS (Focal Fossa)"
    ],
    "host.os.kernel": [
      "4.14.98-00009-g815aa81f1"
    ],
    "host.os.name": [
      "Ubuntu"
    ],
    "event.MID": [
      "4f:76:d4:4c:8c:ab"
    ],
    "log.level": [
      "info"
    ],
    "agent.name": [
      "MK5-RSU"
    ],
    "host.name": [
      "mk5-rsu"
    ],
    "host.id": [
      "4db9660272c5a45f2a85d922631a7952"
    ],
    "log.original": [
      "Traffic light state"
    ],
    "process.thread.name": [
      "MainThread"
    ],
    "log.origin.file.line": [
      52
    ],
    "host.os.type": [
      "linux"
    ],
    "event.wlan-src": [
      "00:0d:41:12:19:78"
    ],
    "host.os.codename": [
      "focal"
    ],
    "input.type": [
      "log"
    ],
    "log.offset": [
      3055554
    ],
    "agent.hostname": [
      "MK5-RSU"
    ],
    "event.timestamp": [
      "2024-12-11T13:15:43.209603"
    ],
    "message": [
      "Traffic light state"
    ],
    "host.architecture": [
      "armv7l"
    ],
    "process.name": [
      "MainProcess"
    ],
    "@timestamp": [
      "2024-12-11T13:15:43.214Z"
    ],
    "log.origin.file.name": [
      "print-traffic-light-state.py"
    ],
    "log.origin.function": [
      "<module>"
    ],
    "agent.id": [
      "59d71abc-5da2-4ba8-a21b-a779a9d8e026"
    ],
    "ecs.version": [
      "1.6.0"
    ],
    "host.containerized": [
      false
    ],
    "host.os.platform": [
      "ubuntu"
    ],
    "log.file.path": [
      "/home/user/workspace/traffic_light_state.json"
    ],
    "agent.ephemeral_id": [
      "ed18c6ea-1919-4590-a503-c852ca6f3e94"
    ],
    "agent.version": [
      "9.0.0"
    ],
    "host.os.family": [
      "debian"
    ],
    "process.thread.id": [
      1996055312
    ]
  }
}

This document is utilized for a detection rule. Below is the JSON document of the corresponding generated alert:

{
  "_index": ".internal.alerts-security.alerts-default-000002",
  "_id": "07a5bb7412d3f9715d1b740d16233df0f4207cd6c71a5e8fe627e247b1a0398e",
  "_score": 1,
  "_source": {
    "kibana.alert.rule.execution.timestamp": "2024-12-12T14:08:18.156Z",
    "kibana.alert.start": "2024-12-12T14:08:18.156Z",
    "kibana.alert.last_detected": "2024-12-12T14:08:18.156Z",
    "kibana.version": "8.15.3",
    "kibana.alert.rule.parameters": {
      "description": "Alert generated when there are more than 63 packets transmitted for a given source",
      "risk_score": 99,
      "severity": "critical",
      "license": "",
      "meta": {
        "from": "1m",
        "kibana_siem_app_url": "http://mb4soc.isc.heia-fr.ch:5601/app/security"
      },
      "investigation_fields": {
        "field_names": [
          "host.name"
        ]
      },
      "author": [],
      "false_positives": [],
      "from": "now-61s",
      "rule_id": "4d53410a-cced-4cb9-b39d-b365d19a61aa",
      "max_signals": 100,
      "risk_score_mapping": [],
      "severity_mapping": [],
      "threat": [],
      "to": "now",
      "references": [],
      "version": 1,
      "exceptions_list": [],
      "immutable": false,
      "rule_source": {
        "type": "internal"
      },
      "related_integrations": [],
      "required_fields": [],
      "setup": "",
      "type": "threshold",
      "language": "kuery",
      "index": [
        "filebeat-*"
      ],
      "query": "host.name : *",
      "filters": [],
      "threshold": {
        "field": [
          "event.wlan-src"
        ],
        "value": 63,
        "cardinality": []
      }
    },
    "kibana.alert.rule.category": "Threshold Rule",
    "kibana.alert.rule.consumer": "siem",
    "kibana.alert.rule.execution.uuid": "10660a16-49c4-48b9-a233-ed5837c33d85",
    "kibana.alert.rule.name": "Replay attack on a traffic light",
    "kibana.alert.rule.producer": "siem",
    "kibana.alert.rule.revision": 5,
    "kibana.alert.rule.rule_type_id": "siem.thresholdRule",
    "kibana.alert.rule.uuid": "ade0288d-a612-4b90-93c9-9e4e9deeeae2",
    "kibana.space_ids": [
      "default"
    ],
    "kibana.alert.rule.tags": [],
    "@timestamp": "2024-12-12T14:08:18.149Z",
    "event.wlan-src": "00:0d:41:12:19:78",
    "event.kind": "signal",
    "kibana.alert.original_time": "2024-12-12T14:08:14.454Z",
    "kibana.alert.ancestors": [
      {
        "id": "3feb4add-9fa9-5a92-8d52-d735c155db6a",
        "type": "event",
        "index": "filebeat-*",
        "depth": 0
      }
    ],
    "kibana.alert.status": "active",
    "kibana.alert.workflow_status": "open",
    "kibana.alert.depth": 1,
    "kibana.alert.reason": "event created critical alert Replay attack on a traffic light.",
    "kibana.alert.severity": "critical",
    "kibana.alert.risk_score": 99,
    "kibana.alert.rule.actions": [],
    "kibana.alert.rule.author": [],
    "kibana.alert.rule.created_at": "2024-12-04T16:03:57.020Z",
    "kibana.alert.rule.created_by": "nathan.kulczyki",
    "kibana.alert.rule.description": "Alert generated when there are more than 63 packets transmitted for a given source",
    "kibana.alert.rule.enabled": true,
    "kibana.alert.rule.exceptions_list": [],
    "kibana.alert.rule.false_positives": [],
    "kibana.alert.rule.from": "now-61s",
    "kibana.alert.rule.immutable": false,
    "kibana.alert.rule.interval": "1s",
    "kibana.alert.rule.indices": [
      "filebeat-*"
    ],
    "kibana.alert.rule.license": "",
    "kibana.alert.rule.max_signals": 100,
    "kibana.alert.rule.references": [],
    "kibana.alert.rule.risk_score_mapping": [],
    "kibana.alert.rule.rule_id": "4d53410a-cced-4cb9-b39d-b365d19a61aa",
    "kibana.alert.rule.severity_mapping": [],
    "kibana.alert.rule.threat": [],
    "kibana.alert.rule.to": "now",
    "kibana.alert.rule.type": "threshold",
    "kibana.alert.rule.updated_at": "2024-12-12T14:03:40.009Z",
    "kibana.alert.rule.updated_by": "nathan.kulczyki",
    "kibana.alert.rule.version": 1,
    "kibana.alert.uuid": "07a5bb7412d3f9715d1b740d16233df0f4207cd6c71a5e8fe627e247b1a0398e",
    "kibana.alert.workflow_tags": [],
    "kibana.alert.workflow_assignee_ids": [],
    "kibana.alert.rule.meta.from": "1m",
    "kibana.alert.rule.meta.kibana_siem_app_url": "http://mb4soc.isc.heia-fr.ch:5601/app/security",
    "kibana.alert.rule.risk_score": 99,
    "kibana.alert.rule.severity": "critical",
    "kibana.alert.threshold_result": {
      "count": 67,
      "from": "2024-12-12T14:07:54.695Z",
      "terms": [
        {
          "field": "event.wlan-src",
          "value": "00:0d:41:12:19:78"
        }
      ]
    },
    "kibana.alert.original_event.wlan-src": "00:0d:41:12:19:78"
  },
  "fields": {
    "kibana.alert.severity": [
      "critical"
    ],
    "kibana.alert.threshold_result.terms.value": [
      "00:0d:41:12:19:78"
    ],
    "signal.rule.type": [
      "threshold"
    ],
    "kibana.alert.rule.updated_by": [
      "nathan.kulczyki"
    ],
    "signal.ancestors.depth": [
      0
    ],
    "signal.threshold_result.terms.value": [
      "00:0d:41:12:19:78"
    ],
    "kibana.alert.ancestors.id": [
      "3feb4add-9fa9-5a92-8d52-d735c155db6a"
    ],
    "kibana.alert.threshold_result.count": [
      67
    ],
    "kibana.alert.rule.description": [
      "Alert generated when there are more than 63 packets transmitted for a given source"
    ],
    "kibana.alert.rule.producer": [
      "siem"
    ],
    "kibana.alert.rule.to": [
      "now"
    ],
    "signal.rule.created_by": [
      "nathan.kulczyki"
    ],
    "signal.rule.interval": [
      "1s"
    ],
    "kibana.alert.reason.text": [
      "event created critical alert Replay attack on a traffic light."
    ],
    "kibana.alert.rule.created_by": [
      "nathan.kulczyki"
    ],
    "kibana.alert.ancestors.depth": [
      0
    ],
    "signal.rule.enabled": [
      "true"
    ],
    "signal.rule.id": [
      "ade0288d-a612-4b90-93c9-9e4e9deeeae2"
    ],
    "signal.rule.max_signals": [
      100
    ],
    "signal.reason": [
      "event created critical alert Replay attack on a traffic light."
    ],
    "signal.rule.risk_score": [
      99
    ],
    "kibana.alert.risk_score": [
      99
    ],
    "signal.rule.updated_at": [
      "2024-12-12T14:03:40.009Z"
    ],
    "kibana.alert.rule.name": [
      "Replay attack on a traffic light"
    ],
    "kibana.alert.threshold_result.terms.field": [
      "event.wlan-src"
    ],
    "signal.status": [
      "open"
    ],
    "event.kind": [
      "signal"
    ],
    "signal.rule.created_at": [
      "2024-12-04T16:03:57.020Z"
    ],
    "kibana.alert.workflow_status": [
      "open"
    ],
    "kibana.alert.rule.uuid": [
      "ade0288d-a612-4b90-93c9-9e4e9deeeae2"
    ],
    "kibana.alert.rule.interval": [
      "1s"
    ],
    "kibana.alert.threshold_result.from": [
      "2024-12-12T14:07:54.695Z"
    ],
    "kibana.alert.reason": [
      "event created critical alert Replay attack on a traffic light."
    ],
    "kibana.alert.rule.type": [
      "threshold"
    ],
    "signal.threshold_result.terms.field": [
      "event.wlan-src"
    ],
    "signal.ancestors.id": [
      "3feb4add-9fa9-5a92-8d52-d735c155db6a"
    ],
    "signal.original_time": [
      "2024-12-12T14:08:14.454Z"
    ],
    "kibana.alert.start": [
      "2024-12-12T14:08:18.156Z"
    ],
    "kibana.alert.rule.immutable": [
      "false"
    ],
    "signal.rule.severity": [
      "critical"
    ],
    "kibana.alert.ancestors.index": [
      "filebeat-*"
    ],
    "signal.rule.from": [
      "now-61s"
    ],
    "kibana.alert.depth": [
      1
    ],
    "kibana.alert.rule.enabled": [
      "true"
    ],
    "kibana.alert.rule.version": [
      "1"
    ],
    "kibana.alert.rule.from": [
      "now-61s"
    ],
    "kibana.alert.ancestors.type": [
      "event"
    ],
    "kibana.alert.rule.parameters": [
      {
        "description": "Alert generated when there are more than 63 packets transmitted for a given source",
        "risk_score": 99,
        "severity": "critical",
        "license": "",
        "meta": {
          "from": "1m",
          "kibana_siem_app_url": "http://mb4soc.isc.heia-fr.ch:5601/app/security"
        },
        "investigation_fields": {
          "field_names": [
            "host.name"
          ]
        },
        "author": [],
        "false_positives": [],
        "from": "now-61s",
        "rule_id": "4d53410a-cced-4cb9-b39d-b365d19a61aa",
        "max_signals": 100,
        "risk_score_mapping": [],
        "severity_mapping": [],
        "threat": [],
        "to": "now",
        "references": [],
        "version": 1,
        "exceptions_list": [],
        "immutable": false,
        "rule_source": {
          "type": "internal"
        },
        "related_integrations": [],
        "required_fields": [],
        "setup": "",
        "type": "threshold",
        "language": "kuery",
        "index": [
          "filebeat-*"
        ],
        "query": "host.name : *",
        "filters": [],
        "threshold": {
          "field": [
            "event.wlan-src"
          ],
          "value": 63,
          "cardinality": []
        }
      }
    ],
    "kibana.alert.rule.revision": [
      5
    ],
    "signal.rule.version": [
      "1"
    ],
    "kibana.alert.original_event.wlan-src": [
      "00:0d:41:12:19:78"
    ],
    "signal.threshold_result.from": [
      "2024-12-12T14:07:54.695Z"
    ],
    "kibana.alert.status": [
      "active"
    ],
    "kibana.alert.last_detected": [
      "2024-12-12T14:08:18.156Z"
    ],
    "signal.ancestors.index": [
      "filebeat-*"
    ],
    "signal.depth": [
      1
    ],
    "signal.rule.immutable": [
      "false"
    ],
    "kibana.alert.rule.rule_type_id": [
      "siem.thresholdRule"
    ],
    "signal.rule.name": [
      "Replay attack on a traffic light"
    ],
    "signal.rule.rule_id": [
      "4d53410a-cced-4cb9-b39d-b365d19a61aa"
    ],
    "kibana.alert.rule.license": [
      ""
    ],
    "kibana.alert.rule.max_signals": [
      100
    ],
    "kibana.alert.rule.updated_at": [
      "2024-12-12T14:03:40.009Z"
    ],
    "signal.rule.description": [
      "Alert generated when there are more than 63 packets transmitted for a given source"
    ],
    "event.wlan-src": [
      "00:0d:41:12:19:78"
    ],
    "kibana.alert.rule.risk_score": [
      99
    ],
    "signal.threshold_result.count": [
      67
    ],
    "kibana.alert.rule.consumer": [
      "siem"
    ],
    "kibana.alert.rule.indices": [
      "filebeat-*"
    ],
    "kibana.alert.rule.category": [
      "Threshold Rule"
    ],
    "@timestamp": [
      "2024-12-12T14:08:18.149Z"
    ],
    "kibana.alert.rule.created_at": [
      "2024-12-04T16:03:57.020Z"
    ],
    "signal.rule.to": [
      "now"
    ],
    "signal.rule.updated_by": [
      "nathan.kulczyki"
    ],
    "kibana.alert.rule.severity": [
      "critical"
    ],
    "kibana.alert.rule.execution.timestamp": [
      "2024-12-12T14:08:18.156Z"
    ],
    "kibana.alert.rule.execution.uuid": [
      "10660a16-49c4-48b9-a233-ed5837c33d85"
    ],
    "kibana.alert.uuid": [
      "07a5bb7412d3f9715d1b740d16233df0f4207cd6c71a5e8fe627e247b1a0398e"
    ],
    "kibana.space_ids": [
      "default"
    ],
    "kibana.alert.rule.meta.kibana_siem_app_url": [
      "http://mb4soc.isc.heia-fr.ch:5601/app/security"
    ],
    "kibana.version": [
      "8.15.3"
    ],
    "kibana.alert.rule.meta.from": [
      "1m"
    ],
    "signal.rule.license": [
      ""
    ],
    "signal.ancestors.type": [
      "event"
    ],
    "kibana.alert.original_time": [
      "2024-12-12T14:08:14.454Z"
    ],
    "kibana.alert.rule.rule_id": [
      "4d53410a-cced-4cb9-b39d-b365d19a61aa"
    ]
  }
}

Here the definition of my rule :

Thanks in advance

Topic		Replies	Views
Kibana, Alerts and Actions, does not allow adding hostname in the message Kibana elastic-stack-alerting	6	2339	October 23, 2020
Kibana Alert Index Threshold and Log Threshold Host.ip Fields Kibana elastic-stack-alerting	5	331	April 13, 2023
Kibana Alert to ServiceNow Kibana elastic-stack-alerting	2	404	October 26, 2020
Custom variables in Kibana Alerts Kibana elastic-stack-alerting	16	3984	October 28, 2020
How include the hostname and location of the log within Watcher alerts? Elasticsearch	2	728	July 31, 2018

Problem with the display of the hostname in Kibana alerts, despite its definition in ‘Custom Highlighted Fields’

Related topics