Hi,
Sorry but it's not clear to us how security analytics handle siem rules and alias mapping !
My undertsanding is that we need an _index_template for packetbeat e.g, and when we create a detector alias will be added to this _index_template with a component template correct ?
But packetbeat template where imported in template not _index_template, so when we create a detector a component template is created and not added to template/packetbeat , and when a new daily packetbeat is created, there is a "mess" with mapping and the template/packetbeat doesn't seem to be used anymore, and dashboard are not displayed correctly too :-( !
Is it a bug, did we miss something, if we need to have an _index_template for packetbeat, how can we do that ?
Thanks for you help
Hi,
Sorry but it's not clear to us how security analytics handle siem rules and alias mapping !
My undertsanding is that we need an _index_template for packetbeat e.g, and when we create a detector alias will be added to this _index_template with a component template correct ?
But packetbeat template where imported in template not _index_template, so when we create a detector a component template is created and not added to template/packetbeat , and when a new daily packetbeat is created, there is a "mess" with mapping and the template/packetbeat doesn't seem to be used anymore, and dashboard are not displayed correctly too :-( !
Is it a bug, did we miss something, if we need to have an _index_template for packetbeat, how can we do that ?
Thanks for you help