Watchers and Elastic Security


I have a lot of detections on my watchers. Is it possible to have the alert generated by watchers in the Detection section of Elastic Security SIEM?

Depending on the actions configured in your watchers;

If you have a action which ingest data into your elastic cluster you can add the event.kind: alert to the document to have it show up as external alert.

You can then use a single query detection to have them all show up as signals in the detections tab.

rule name override = message
query = event.kind:alert

pseudo code ofcourse

This is by far the most reliable method I have discovered.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.