-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Personalization of the Highlighted fields in an Alert Rule #131778
Comments
Pinging @elastic/response-ops (Team:ResponseOps) |
This is good request so we dont have to parse 10 pages... I was directed here by support Case Update for #01026854. Please consider this a feature request. Kindly give us option to manage the fields via GUI and not through code. |
Pinging @elastic/security-solution (Team: SecuritySolution) |
Agree please could we get this feature implemented. |
Would really like to see this implemented |
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
Any update on this? |
I would also really like to see this implemented. 90% of the detections I work with now have highlighted fields that are not relevant to the investigation. If unable to add to the gui of rule config, might we be able to add the desired highlighted fields to the rule query similar to how SPL uses the "table" command? |
While I don't have any updates on this particular issue of personalizing the highlighted fields, there has been some headway to addressing this sort of customization with the new 'insights in markdown' features added in With the latter you'll be able to provide custom markdown that can be used to surface particular fields from alerts in the alert details flyout, e.g. So hopefully this helps bridge the gap as we continue to add further customization here. We definitely appreciate all your feedback, so thank you for taking the time to submit it, and of course continue to watch this issue for updates. 🙂 |
Oh yeah, this would be great. Was just making a rule and would love for the winlog.event_data.Subject field to just be there. This is especially important for rules that doesn't follow the Elastic Common Schema, as it's often not easy for the responder to know which fields to look for. |
Yeah really hoping this PR goes through: #152871 |
I would also like to second the request to modify (or otherwise customize) the A potential use-case for a custom or saved
This could/would look something like this:
|
Hi team, We need to use the discover tab when we want to dig deep into the alert. Would be great to have:
One way to work around the issue right now is to manually create a search query in discover and paste it in the connector alert but we don't get the timestamps of the alert that way. Thanks. |
Hey folks - working on this feature in this PR. |
Me waiting for this feature 🥶 |
Woot! Thank you @yctercero!! |
In Kibana Security, there are some alert that are triggered by Alert Rules.
When looking at the details of an alert, there is a sidebar that shows the Highlighted fields. these filed are supposed to be the most relevant ones, but often are not
The request would be to define within the alert rule what Highlighted fields should appear (and in what order).
thank you
The text was updated successfully, but these errors were encountered: