Remove or Hide Kibana and Signal fields in Elastic Security

Elastic Security Endpoint Security
1

Version: 7.16.3

Hi, everyone

I would like to know whether it is possible to remove or hide Kibana and Signal fields in Elastic Security. When an alert is triggered, you can look over it, here you are a screenshot:

elastic-security
elastic-security1608×680 77.7 KB

I understand that this information is useful, however, in the case of being agile, from my point of view, having many fields you can’t see the wood for the trees :evergreen_tree: .

Thanks in advance :vulcan_salute: ,

Rodrigo

3 Likes
3

Hi Rodrigo,

Have you already experimented with Timeline Templates? I've found that creating a Timeline Template with the desired set of fields and using that in a rule populates the Overview tab option with the key context I'm looking for. I see it as a workaround to your request, but was wondering what your experience might be.

Kind Regards,

Matt

1 Like
4

Hi, @elkn00b

I have created a template in order to set a generic fields:

templates
templates1900×656 78.5 KB

Then, I have modified rule in order to use that template:

suricata-rule
suricata-rule1042×915 54.2 KB

However, when alert is triggered, it does not show template fields:

suricata-overview
suricata-overview941×618 38.2 KB

Thanks in advance,

Regards

5

Hi Rodrigo,

I checked my timeline template to see what I might be doing differently, and I don't have any template fields defined for the filter criteria. The fields I toggle in the table below for column visibility seem to be the fields that show up in the Overview table.

I suggest removing the timeline template fields from the search criteria, but ensuring the target fields are toggled into the column view below, and then re-testing.

Kind Regards,

Matt

6

Hi, @elkn00b

Here you are a new screenshot about modified timeline:

suricata-new-template
suricata-new-template1918×468 47.7 KB

Thanks in advance,

Regards

7

Hi Rodrigo,

That's what I've got. Does it populate your Overview tab in the SIEM alerts results when tested?

Kind Regards,

Matt

8

Hi, @elkn00b

It does not populate Overview tab :frowning_face: .

Thanks for your support :smiley:.

Regards

9

Hi @RdrgPorto - Thanks for reaching out here, and thank you @elknoob for working with him to debug. Currently, there isn't actually a direct relationship between the document summary of the fly-out and the template fields. The fields shown in the document summary are based on some fields on the underlying event such as event.category. The fact that there's a match for @elknoob is coincidental. I'll make a note of this feedback!

For now, one thing you can do is create a timeline template and configure the default columns there.

1 Like
10

Hi, @Michael_Olorunnisola

Thanks for your answer :smiley: .

Have a nice week,

Regards

11

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.