New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Session Viewer Auditbeat] Add support for Event.action Executed #179397
Comments
Pinging @elastic/kibana-cloud-security-posture (Team:Cloud Security) |
Testing PR Instructions Prerequisites:
Alert View
|
Currently, there is a bug where Auditbeat index has missing cc: @mjwolf @kfirpeled |
Sounds like a good stop-gap solution to me until the bug is fixed.
I assume we could fix bugs during BC's or after FF. Isn't it? |
@mjwolf are you able to fix this bug fixed before the next BC ? I looked into filter events on the FE, and it's a bit more complicated and the code belongs to Security Solutions team. Hence, bugs should be fixed I after FF. cc:@nick-alayil |
Summary:
As part of the Session Viewer Auditbeat epic, we need to enable Session Viewer to support Auditbeat events. Currently, Session Viewer only supports
event.action
: 'fork', 'exec', and 'end' fromlogs-endpoint
index andlogs-cloud-defend
. Once we completed configured the auditbeats-* index, then we need to update Event Action to supportexecuted
Definition of Done:
Event.Action
to includeexecuted
event.action: ['fork', 'executed']
should show.exec
andexecuted
when Auditbeat'sreplace_fields
settingReferences
The text was updated successfully, but these errors were encountered: