-
Notifications
You must be signed in to change notification settings - Fork 8.1k
-
Notifications
You must be signed in to change notification settings - Fork 8.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Solution] Provide a workflow for adding runtime fields to an alerts index for unmapped fields #96894
Comments
Pinging @elastic/security-solution (Team: SecuritySolution) |
Pinging @elastic/security-threat-hunting (Team:Threat Hunting) |
@MikePaquette, @dontcallmesherryli this is the enhancement request that we discussed today with @stephmilovic @rylnd and @XavierM EDIT: Per our discussion, I also created the following bug |
As an alternative to adding each new field to the mapping permanently, perhaps timeline could add runtime fields for unmapped columns in the search request itself? https://www.elastic.co/guide/en/elasticsearch/reference/master/runtime-search-request.html If timeline can detect which fields are unmapped and attempt to add them into the query as runtime fields before loading the table then we can provide this enhancement without the additional user effort of adding the field to the mapping and also avoid leaving extra runtime fields in the mapping indefinitely. |
Thanks for suggesting this approach @marshallmain! We'll definitely consider it when we discuss the design and implementation. |
I believe until this recent change Security Solution didn't expect a non-conflicting data mapping on the indices that were queried. |
Unmapped fields in an alerts index, (e.g.
.siem-signals-default
) are not displayed in theDetection alerts
table, as shown in the screenshot below, until users take one of the following actions:In the screenshot above, the
user.effective.group.id
field displays the numeric value0
in theAlert details
view, but appears as a-
in the alerts table, because there is no mapping for this field in the alerts index.Since adding a runtime field doesn't require re-indexing the existing alert data, it's the preferable action for users to take when compared with manually adding a mapping to the alerts index (e.g.
.siem-signals-default
).The purpose of this enhancement request is to provide a UI workflow that assists the user in adding a runtime field to the alerts index, which would enable those fields to be displayed in the
Detections alerts
table. The workflow could, for example, automatically suggest the correct data type for the new runtime field by allowing the user to select which source index contains the correct definition of the field.Kibana/Elasticsearch Stack version:
7.12.0
The text was updated successfully, but these errors were encountered: