Retrieve Documents in Threshold Signal

When a signal is created it it contains a series of fields representing what i assume to be information regarding what triggered the rule. In particular is the signal.parent.* fields (also signal.parents.* - not that i understand the difference) which often contains a document id under However when the entry is created by a threshold trigger it represents some other value that is not a document id (at least not the default format expected). ex. 00c876b0-bf18-11eb-a6e0-590e938f2721`

Attempts at searching for a document with that id fail and I presume it has something to with the how join queries are done. Though it might be the child parent relationship thing but could not figure out how to use it properly as none of the mappings specific any relationships, including the signals indices.

Does anyone know how to use the information in a threshold signal to retrieve the documents that triggered it?



Hey @Amorik !

Thanks for your post. So I'm pulling from a past related question regarding threshold rules where my teammate @madi noted the following about threshold rule alerts:

We did update the functionality in 7.11 so that the fields queried in the original events will NOT be reflected in the signals. This was because the fields are not necessarily the same value across all matches, so it was ambiguous (wildcards can occur in the queries, for example)... that functionality is now provided by the timeline (when you click 'investigate in timeline', the original events are pulled back and you can see everything that matched) [...]
The Timeline functionality for threshold rules is a little unreliable currently, but will be tightened up in the upcoming 7.12 release. You should be able to visualize all the events that made up the signal in Timeline out of the box [...]

(Threshold Detection Ignoring Group By Field )

Essentially, you should be able to view each individual event relating to that threshold alert when you pull it into your Timeline. Let us know if that helps!


Timeline is nice and all but how is this done outside of the detection's timeline? If I'm trying to integrate other tools to inquire about the signal via RestAPI, like say a SOAR platform or a python script, how do we get that relationship?