SIEM Event Correlation rule returns no data

Kibana version 7.14.1
I am creating an Event Correlation rule in SIEM and the preview does not return any results. If I do the same query in Dev Tools it works.
I see that the preview runs some kind of java script but the dev tools appear to do a standard web request.
If I copy the request from Event Correlation which looks like this:

{ "filter: 
     { "range": { "@timestamp" 
            { "gte" : "2021-12-07T09:03:22.318Z", 
               "lte" : "2021-12-08T09:03:22.318Z",
                "format" : "strict_date_optional_time"  }
"query": "process where xxxxx == xxxx", "size": 100 }

If I paste into Dev Tools and GET on a wild card or specific index it works.
Is it possible there is a permissions issue? I am using the same account for the preview and the query.

I wonder if you're encountering this issue:

1 Like

Thanks for the reply. I don't think this is this issue but presumably an update would fix it? Cheers

When I look at a document where the preview works, the @timestamp value is in the _source section of the JSON.
A document where the preview does not work has the @timestamp in the _fields section.

Presumably the SIEM Event Correlation EQL query runs against the _source only?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.