Hi community,
Am relatively new to Elastic SIEM feature - Timeline and wanted to understand if am missing out anything or its intentionally built that way.
We are building a detection based on threshold rule with custom filter and query and we also have a separate template - "default template" attached for the same rule.
when generated alerts are investigated with the default template - its viewed normally but when i apply custom template (it is created to include separate columns by default instead of pre defined columns when viewing it) over the same rule and viewed : timeline doesn't show any events at all.
My understanding:
The timeline template shouldn't remove the alert filter-queries used when using the custom template.
It should use rule filters with configured within threshold rule and also use columns configured to display from the template.
What is it showing: Am unable to see any results when custom template is added to investigate, i just see column names added by me to display required data but no data/results or filters seen which is supposed to be coming from the rule triggered.
Would be great full if we someone can confirm, if this expected from custom templates applied over threshold rules?
Thanks