[Alerting][Event Log] Populate event log rule ECS fields with the Security specific rule data. #101677
Labels
discuss
estimate:small
Small Estimated Level of Effort
Feature:Actions/Framework
Issues related to the Actions Framework
Feature:Alerting
insight
Issues related to user insight into platform operations and resilience
NeededFor:Detections and Resp
Project:ObservabilityOfAlerting
Alerting team project for observability of alerting.
Team:ResponseOps
Label for the ResponseOps team (formerly the Cases and Alerting teams)
This issue is a follow up from the original PR.
Based on the conversation with @elastic/security-detections-response team, we have got the next fields list, which is currently not supported by the Alerting framework:
rule.author
- the Detection Rules do have a dedicated author field, but alerting rules don't. Should use that?rule.version
- is usually an auto-incrementing number that starts out at 1 and moves forward to be 2, 3, 4, so it gives insight into what the version was. It gets updated on if edit particular fields such as author, name, but not on the actions such as enabling/disabling the rule. We don't have similar in alerting.rule.description
- the Detection Rules do have a dedicated fieldrule.uuid
- in Security Solution they populate arule.id
. Maybe could be something else?The text was updated successfully, but these errors were encountered: