Add runtime fields to detection alertsedit

Runtime fields are fields that you can add to documents after you’ve ingested your data. For example, you could combine two fields and treat them as one, or perform calculations on existing data and use the result as a separate field. Runtime fields are evaluated when a query is run.

You can add a runtime field to your detection alerts from the Alerts table. The new field applies to all Elastic Security alerts.

Runtime fields can impact performance, because they’re evaluated each time a query runs. Refer to Runtime fields for more information.

To add a runtime field to detection alerts:

  1. Go to DetectAlerts, then click the Fields toolbar button at the upper-left of the Alerts table. The Fields browser opens.

    Fields browser
  2. Click Create field. The Create field flyout opens.

    Create field flyout
  3. Enter a Name for the new field.
  4. Select a Type for the field’s data type.
  5. Turn on the Set value toggle and enter a Painless script to define the field’s value. The script must match the selected Type. For more on adding fields and Painless scripting examples, refer to Explore your data with runtime fields.
  6. Use the Preview to help you build the script so that it returns the expected field value.
  7. Configure other field settings as needed.

    Some runtime field settings, such as custom labels and display formats, display in other areas of Kibana but may not display in the Elastic Security app.

  8. Click Save.

Manage runtime fieldsedit

From the Alerts table, you can manage runtime fields.

  1. Open the Fields browser (DetectAlertsFields), then search for the runtime field you want.

    Click the Runtime column header twice to reorder the fields table with all runtime fields at the top.

  2. In the Actions column, select an option to edit or delete the runtime field.