If the search generating the alert relies on aggregates, there might not be any contributing events to show.
For example, if the search is performing a |stats count and alerting where count>4, it's relying on aggregates of 4 events, it doesn't necessarily keep track of what those 4 specific events were. But if it's alerting on |search threat_intel=calc.exe, there are specific contributing events available. (Examples for illustrative purposes only)
So there are some searches that will have contributing events available, but not all of them do.
... View more