[Security Solution][Detections] No results in Rule Preview #119098
Labels
bug
Fixes for quality problems that affect the customer experience
impact:high
Addressing this issue will have a high level of impact on the quality/strength of our product.
sdh-linked
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
v8.0.0
Summary
I have a test index for source events with custom non-ECS fields. If I create a rule that targets this index, I can't see any results in the Rule Preview, but the rule is able to find the events and generate alerts if you save and run it.
Repro steps
Create a custom index for source events and write a test object with a timestamp as of today:
Create a Custom query rule that should generate an alert based off of it:
Observe no results in the Rule Preview:
Set a sufficient look-back time so the rule could find the source event (e.g. 48 hours). Save and run this rule, and it should find the event and generate an alert from it:
Environment
Local dev environment
Branch:
main
Kibana config:
The text was updated successfully, but these errors were encountered: