The original document/raw event can't be found

Elastic Security
1

I am seeing a similar situation as mentioned in this below post
Little help understanding a document query issue:

I have this default elastic security rule enabled i.e. High Number of Process and/or Service Termination. Which is a threshold rule, definition for which is shown in below screenshot

image
image1663×508 69.1 KB

This rule is generating me an alert and the alert payload consists of this below field

"kibana.alert.ancestors": [
      {
        "depth": 0,
        "index": "endgame-*,logs-endpoint.events.process-*,logs-system.security*,logs-windows.forwarded*,logs-windows.sysmon_operational-*,winlogbeat-*",
        "id": "081c1490-1968-5ffe-a639-6e6ff2c10ad3",
        "type": "event"
      }
    ]

When I am trying to run a search against these indices and trying to find the document using the id, I can't find the actual doc.

However for the alerts generated by other Elastic Custom Query rules, I am able to track back the original document by querying it against the values of kibana.alert.ancestors.index and kibana.alert.ancestors.id fields.

So is this the expected behavior with threshold rules vs the custom query rules.
Another observation for the threshold rule is that the alert payload does not have agent.id field in it. Is this default behavior for this or is this something that needs to be added as a functionality from Elastic side.

Kindly help/explain?

2

Hi @stephenb, @Mark_Hopkin , can you please help ?

3

Hello @Sergie

It seems you have below similar query , right?

Thanks!!

4

Hi @Tortoise Yes (because agent.id field is missing from the alert payload) and No (Because I don't have response actions and hence no message) :slight_smile:

For my use case I am not able to track back to the original docs which generated this alert using this

"kibana.alert.ancestors": [
      {
        "depth": 0,
        "index": "endgame-*,logs-endpoint.events.process-*,logs-system.security*,logs-windows.forwarded*,logs-windows.sysmon_operational-*,winlogbeat-*",
        "id": "081c1490-1968-5ffe-a639-6e6ff2c10ad3",
        "type": "event"
      }
    ]

Also, agent.id field as said in the previous comment is missing from these threshold kind of alerts, is it a valid behavior or this is a enhancement which can be done?