Hi, I already create threshold based detection and it was successfully detected. But I realize it only has specific fields to display and is different from Query based detection which contain all fields when the rules trigger the alert.
After read some information about Threshold detection, I found it is based on aggregation so I suppose Threshold based detection only display information for what it aggregates. If I do aggregate search manually, I can aggregate inside of aggregation to display extra fields I need. How to do the same with SIEM Threshold based rules?
as an example, I create Threshold based rules to detect failed login more than 10x and select field source.ip to group the result. The rules is triggered and I can see IPs that has multiple failed login. But I can't see the user name information