Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Missing ECS fields in alerts (.alerts-security.alerts-default) index mappings #153971

Closed
vitaliidm opened this issue Mar 29, 2023 · 2 comments
Closed

[Security Solution] Missing ECS fields in alerts (.alerts-security.alerts-default) index mappings #153971

vitaliidm opened this issue Mar 29, 2023 · 2 comments
Labels
bug Fixes for quality problems that affect the customer experience Team:Detection Alerts Security Detection Alerts Area Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed

Comments

@vitaliidm
Copy link
Contributor

vitaliidm commented Mar 29, 2023
edited
Loading

Describe the bug:
Missing ECS fields in alerts index
It was reported in internal SDH ticket

Kibana/Elasticsearch Stack version:
At least 8.6+

Steps to reproduce:

  1. Create a document with ECS field data_stream.namespace
  2. Create rule that generates alert from those document
  3. When an alert is generated, try to filter by data_stream.namespace from alert view
  4. Field is not mapped in alerts view and filtering not working

Screenshot 2023-03-29 at 19 52 42

Any additional context (logs, chat logs, magical formulas, etc.):

This field is not searchable, because data_stream.namespace is not in mapping of alerts index, even though its ECS field, because it is absent in a ECS fields map https://github.com/elastic/kibana/blob/8.7/x-pack/plugins/rule_registry/common/assets/field_maps/ecs_field_map.ts, that is used to provision .alerts-security.alerts-default index.

The solution could be to update this list, so it would contain all missing ECS fields.
But it raises further questions, how changes in ECS can be tracked and how to keep ECS fields up to date.

Similar ticket for non ECS fields in alerts view: #131623
@vitaliidm vitaliidm added bug Fixes for quality problems that affect the customer experience triage_needed Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. labels Mar 29, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@vitaliidm vitaliidm changed the title [Security Solution] Missing ECS fields in alerts index [Security Solution] Missing ECS fields in alerts (.alerts-security.alerts-default) index Mar 29, 2023
@vitaliidm vitaliidm changed the title [Security Solution] Missing ECS fields in alerts (.alerts-security.alerts-default) index [Security Solution] Missing ECS fields in alerts (.alerts-security.alerts-default) index mappings Mar 29, 2023
@vitaliidm vitaliidm added the Team:Detection Alerts Security Detection Alerts Area Team label Mar 29, 2023
@vitaliidm
Copy link
Contributor Author

issue is already covered in #129946

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Fixes for quality problems that affect the customer experience Team:Detection Alerts Security Detection Alerts Area Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. triage_needed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@elasticmachine @vitaliidm