You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add kibana.alert.original_data_stream to the list of alert schema fields (elastic#3011)
@rylnd@yctercero let me know if I got this right or suggest anything
you'd like to see. The original issue mentions that
`kibana.alert.original_event.*` behaves similarly but it's not described
much in the docs from what I could find, so we may also clarify things
for that one if you feel it's needed.
Once we're good with the content here, I'll create the corresponding PR
for 8.19, as docs for this version are still in asciidoc in their
previous location.
Closes: elastic#2673
Copy file name to clipboardExpand all lines: reference/security/fields-and-object-schemas/alert-schema.md
+3-3Lines changed: 3 additions & 3 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -42,12 +42,11 @@ The non-ECS fields listed below are beta and subject to change.
42
42
|[`client.*`](ecs://reference/ecs-client.md)| ECS `client.*` fields copied from the source document, if present, for custom query and indicator match rules. |
43
43
|[`cloud.*`](ecs://reference/ecs-cloud.md)| ECS `cloud.*` fields copied from the source document, if present, for custom query and indicator match rules. |
44
44
|[`container.*`](ecs://reference/ecs-container.md)| ECS `container.* fields` copied from the source document, if present, for custom query and indicator match rules. |
45
-
|[`data_stream.*`](ecs://reference/ecs-data_stream.md)| ECS `data_stream.*` fields copied from the source document, if present, for custom query and indicator match rules.<br>**Note:** These fields may be constant keywords in the source documents, but are copied into the alert documents as keywords. |
46
45
|[`destination.*`](ecs://reference/ecs-destination.md)| ECS `destination.*` fields copied from the source document, if present, for custom query and indicator match rules. |
47
46
|[`dll.*`](ecs://reference/ecs-dll.md)| ECS `dll.*` fields copied from the source document, if present, for custom query and indicator match rules. |
48
47
|[`dns.*`](ecs://reference/ecs-dns.md)| ECS `dns.*` fields copied from the source document, if present, for custom query and indicator match rules. |
49
48
|[`error.*`](ecs://reference/ecs-error.md)| ECS `error.*` fields copied from the source document, if present, for custom query and indicator match rules. |
50
-
|[`event.*`](ecs://reference/ecs-event.md)| ECS `event.*` fields copied from the source document, if present, for custom query and indicator match rules.<br>**Note:** categorization fields above (`event.kind`, `event.category`, `event.type`, `event.outcome`) are listed separately above. |
49
+
|[`event.*`](ecs://reference/ecs-event.md)| ECS `event.*` fields copied from the source document, if present, for custom query and indicator match rules.<br>**Note:** categorization fields (`event.kind`, `event.category`, `event.type`, `event.outcome`) are listed separately. |
51
50
|[`file.*`](ecs://reference/ecs-file.md)| ECS `file.*` fields copied from the source document, if present, for custom query and indicator match rules. |
52
51
|[`group.*`](ecs://reference/ecs-group.md)| ECS `group.*` fields copied from the source document, if present, for custom query and indicator match rules. |
53
52
|[`host.*`](ecs://reference/ecs-host.md)| ECS `host.*` fields copied from the source document, if present, for custom query and indicator match rules. |
@@ -77,7 +76,8 @@ The non-ECS fields listed below are beta and subject to change.
77
76
|`kibana.alert.ancestors.*`| Type: object |
78
77
|`kibana.alert.depth`| Type: Long |
79
78
|`kibana.alert.new_terms`| The value of the new term that generated this alert.<br>Type: keyword |
80
-
|`kibana.alert.original_event.*`| Type: object |
79
+
|`kibana.alert.original_data_stream.*` {applies_to}`stack: ga 9.1`| Data stream information copied from the original source event, including `dataset`, `namespace`, and `type` fields.<br>Type: object |
80
+
|`kibana.alert.original_event.*`| Event information copied from the original source event.<br>Type: object |
81
81
|`kibana.alert.original_time`| The value copied from the source event (`@timestamp`).<br>Type: date |
82
82
|`kibana.alert.reason`| Type: keyword |
83
83
|`kibana.alert.rule.author`| The value of the `author` who created the rule. Refer to [configure advanced rule settings](/solutions/security/detect-and-alert/create-detection-rule.md#rule-ui-advanced-params).<br>Type: keyword |
0 commit comments