[Falco]: Dashboard seems to be broken

[nick-alayil]

Integration Name

Falco [falco]

Dataset Name

falco.alerts

Integration Version

1.0.2

Agent Version

8.16

Agent Output Type

elasticsearch

Elasticsearch Version

8.16

OS Version and Architecture

Amazon Linux 2023

Software/API Version

No response

Error Message

No response

Event Original

No response

What did you do?

Ingest falco data in to Elastic using Falcosidekick but it could be done using falco integration as well. In the context of the issue how data is ingested have less relevance. Irrespective of the ingestion methodology it run through the same pipelines and would end up populated in the dahsboard.

What did you see?

Falco dashboard seems to be broken by looking at log-* index pattern, which ends up showing broken widgets / cards in the dashboard. Also, in Alerts by Host - Top 10 [Logs Falco] widget / card, table is expecting host.hostname field, which is in fact not present in the falco.alerts datastream. I tried to duplicate the dashboard and edited it to look specifically at logs-falco* index pattern by creating a new data view and made most of the widgets / cards look at the new data view, which fixed many broken experiences. The details of this explanation is visible in the attached recording. Sorry for the lengthy 2.10mints recording.

https://upload.elastic.co/d/9a180431a47a43b55c42881fc6cfef3c1c79f6944bdf9427cf500313f1820108
AuthZ token: f92143b2d591efab

What did you expect to see?

Expectation is to see only data from logs-falco* reflected in all the widgets / cards inside the falco dashboard.

Anything else?

No response

[elasticmachine]

Pinging @elastic/security-service-integrations (Team:Security-Service Integrations)