Open
Description
Describe the bug:
- Rule Preview Graph Lens Not working for the Custom SentinelOne Rule
Build Details:
VERSION: 8.16.0 - Snapshot
BUILD: 78109
COMMIT: 31bd6acae7e84e686c7b1264967b577c1ef0f20d
Login Credentials
Preconditions
- Kibana should be running.
- Create the Sentinel custom rule with these configurations
- For index patterns, add
logs-sentinel_one.alert* - For query, add
observer.serial_number:*
- For index patterns, add
- Sentinel Alerts should be generated in the last 1 hour
Steps to Reproduce
- Navigate to the Sentinel rules edit settings
- Scroll to the rule preview section
- Select Timeframe as 1 hour
- Click on the refresh button
- Observe Rule Preview Graph Lens Not working for the Custom SentinelOne Rule and showing
The "event.category" field can not be used for filtering.although Event.category field is present in the Alerts Data
Actual result
- Rule Preview Graph Lens Not working for the Custom SentinelOne Rule
Expected Result
- Rule Preview Graph Lens Should be working for the Custom SentinelOne Rule
Whats working
- It is working fine for the endpoint rule and the other custom rules which are using the elastic agents data
Screen-cast
Detection.rules.SIEM.-.Kibana.Mozilla.Firefox.2024-09-12.13-15-56.mp4
Logs
- N/A
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment