This issue is a follow up from the original PR.
Based on the conversation with @elastic/security-detections-response team, we have got the next fields list, which is currently not supported by the Alerting framework:
rule.author - the Detection Rules do have a dedicated author field, but alerting rules don't. Should use that?
rule.version - is usually an auto-incrementing number that starts out at 1 and moves forward to be 2, 3, 4, so it gives insight into what the version was. It gets updated on if edit particular fields such as author, name, but not on the actions such as enabling/disabling the rule. We don't have similar in alerting.
rule.description - the Detection Rules do have a dedicated field
rule.uuid - in Security Solution they populate a rule.id. Maybe could be something else?
This issue is a follow up from the original PR.
Based on the conversation with @elastic/security-detections-response team, we have got the next fields list, which is currently not supported by the Alerting framework:
rule.author- the Detection Rules do have a dedicated author field, but alerting rules don't. Should use that?rule.version- is usually an auto-incrementing number that starts out at 1 and moves forward to be 2, 3, 4, so it gives insight into what the version was. It gets updated on if edit particular fields such as author, name, but not on the actions such as enabling/disabling the rule. We don't have similar in alerting.rule.description- the Detection Rules do have a dedicated fieldrule.uuid- in Security Solution they populate arule.id. Maybe could be something else?