[bug] View alerts in SIEM uses a different query as overview #76625
Labels
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
triage_needed
Kibana version:
7.9
Elasticsearch version:
7.9
Server OS version:
Linux
hostname
3.10.0-1127.18.2.el7.x86_64 #1 SMP Mon Jul 20 22:32:16 UTC 2020 x86_64 x86_64 x86_64 GNU/LinuxBrowser version:
Google Chrome Version 85.0.4183.83 (Official Build) (64-bit)
Browser OS version:
Original install method (e.g. download page, yum, from source, etc.):
yum
Describe the bug:
The overview page for Security displays external alerts correctly, but the host->external alerts tab does not display the alerts.
It appears as if different queries are used.
Steps to reproduce:
Expected behavior:
See the external alerts in the "view alerts" pane.
Screenshots (if relevant):
Provide logs and/or server output (if relevant):
Query used by overview
Query used by host tab
This one adds the host.name filter
Any additional context:
These external alerts are incidents in an external system and do not have a host.name field.
The text was updated successfully, but these errors were encountered: