Hi @aura, as you've discovered, it seems that some of your fields are not being mapped to the correct Elasticsearch datatypes. Elastic Common Schema (ECS) specifies that fields such as host.name must be of the keyword datatype. Indeed, as you've also discovered, Elastic SIEM relies specifically on host.name to be present as a condition for populating many visualizations with host data.
I'm not sure how familiar you are with Elasticsearch mapping and index templates, as they can be challenging. The ECS GitHub repository provides an example template here.
FYI, we've been pulling together some additional notes about ECS fields required to use Elastic SIEM. We hope these might be helpful as you add additional data sources to your SIEM.
Notes for Elastic SIEM users
The Elastic SIEM app queries, filters, aggregates, and/or displays a growing list of ECS fields. For an optimal experience with Elastic SIEM, and to reduce time spent on updating your ingestion pipelines in the future, please follow the Converting your data to ECS instructions, populating as many ECS fields as practical, paying particular attention to:
- Ensure that your network events populate ECS
sourceanddestinationfields. Network events may not be displayed in the SIEM app network views ifsource.ipanddestination.ipfields are not populated. - If you have network protocol events, be sure to populate the
http,dns, andtlsfield sets. - Ensure that your host events populate ECS
hostfields. Host events will not be displayed in the SIEM app host views if thehost.namefield is not populated. Recall thathost.nameshould be populated with the name of the host where the event happened, not the name of a collector or observer. - If your host events contain details about process activity, ensure that your fields are mapped to the corresponding ECS
processfields. - Be sure that for all your events, you populate the ECS categorization fields:
event.kind,event.category,event.type, andevent.outcome. SIEM authentication and process widgets depend on these fields being populated. Also, try to populate the ECSevent.actionfield with relevant details for your event.