- Kibana Guide: other versions:
- What is Kibana?
- What’s new in 8.7
- Kibana concepts
- Quick start
- Set up
- Install Kibana
- Configure Kibana
- Alerting and action settings
- APM settings
- Banners settings
- Enterprise Search settings
- Fleet settings
- i18n settings
- Logging settings
- Logs settings
- Metrics settings
- Monitoring settings
- Reporting settings
- Search sessions settings
- Secure settings
- Security settings
- Spaces settings
- Task Manager settings
- Telemetry settings
- URL drilldown settings
- Start and stop Kibana
- Access Kibana
- Securing access to Kibana
- Add data
- Upgrade Kibana
- Configure security
- Configure reporting
- Configure logging
- Configure monitoring
- Command line tools
- Production considerations
- Discover
- Dashboard and visualizations
- Canvas
- Maps
- Build a map to compare metrics by country or region
- Track, visualize, and alert on assets in real time
- Map custom regions with reverse geocoding
- Heat map layer
- Tile layer
- Vector layer
- Plot big data
- Search geographic data
- Configure map settings
- Connect to Elastic Maps Service
- Import geospatial data
- Troubleshoot
- Reporting and sharing
- Machine learning
- Graph
- Alerting
- Observability
- APM
- Security
- Dev Tools
- Fleet
- Osquery
- Stack Monitoring
- Stack Management
- REST API
- Get features API
- Kibana spaces APIs
- Kibana role management APIs
- User session management APIs
- Saved objects APIs
- Data views API
- Index patterns APIs
- Alerting APIs
- Action and connector APIs
- Cases APIs
- Add comment
- Create case
- Delete cases
- Delete comments
- Find case activity
- Find cases
- Find connectors
- Get alerts
- Get case activity
- Get case
- Get case status
- Get cases by alert
- Get comments
- Get configuration
- Get reporters
- Get tags
- Push case
- Set configuration
- Update cases
- Update comment
- Update configuration
- Import and export dashboard APIs
- Logstash configuration management APIs
- Machine learning APIs
- Osquery manager API
- Short URLs APIs
- Get Task Manager health
- Upgrade assistant APIs
- Kibana plugins
- Troubleshooting
- Accessibility
- Release notes
- Developer guide
Tracking containment
editTracking containment
editMaps offers the tracking containment rule type which runs an Elasticsearch query over indices to determine whether any documents are currently contained within any boundaries from the specified boundary index. In the event that an entity is contained within a boundary, an alert may be generated.
Requirements
editTo create a tracking containment rule, the following requirements must be present:
-
Tracks index or data view: An index containing a
geo_point
field,date
field, and some form of entity identifier. An entity identifier is akeyword
ornumber
field that consistently identifies the entity to be tracked. The data in this index should be dynamically updating so that there are entity movements to alert upon. -
Boundaries index or data view: An index containing
geo_shape
data, such as boundary data and bounding box data. This data is presumed to be static (not updating). Shape data matching the query is harvested once when the rule is created and anytime after when the rule is re-enabled after disablement.
By design, current interval entity locations (current is determined by date
in
the Tracked index or data view) are queried to determine if they are contained
within any monitored boundaries. Entity
data should be somewhat "real time", meaning the dates of new documents aren’t older
than the current time minus the amount of the interval. If data older than
now - <current interval>
is ingested, it won’t trigger a rule.
Rule conditions
editTracking containment rules have three clauses that define the condition to detect, as well as two Kuery bars used to provide additional filtering context for each of the indices.
- Index (entity)
-
This clause requires an index or data view, a time field that will be used for the time window, and a
geo_point
field for tracking. - When entity
- This clause specifies which crossing option to track. The values Entered, Exited, and Crossed can be selected to indicate which crossing conditions should trigger a rule. Entered alerts on entry into a boundary, Exited alerts on exit from a boundary, and Crossed alerts on all boundary crossings whether they be entrances or exits.
- Index (Boundary)
-
This clause requires an index or data view, a
geo_shape
field identifying boundaries, and an optional Human-readable boundary name for better alerting messages.
Actions
editConditions for how a rule is tracked can be specified uniquely for each individual action. A rule can be triggered either when a containment condition is met or when an entity is no longer contained.
On this page