Open
Description
openedon Jan 20, 2022
Describe the feature:
When an analyst changes the state of a detection alert the alert should show what Kibana user changed the state of the alert. This value should be added to a list field within the alert stored on the .siem-signals-*
index. This field should contain all of the previous state changes that were made to the rule so that during an audit it can be easily seen when and who made any changes to the alert. This status should also include actions such as add to case
. At this time there is only the signal.status
and the kibana.alert.workflow_status
fields in the index and it only displays open
, closed
, and acknowledged
.
Describe a specific use case for the feature:
- When conducting an audit of the previous month's alerts the auditor can see the full history of the alert workflow and can generate metrics and dashboards using this information
- By adding the values to the alerts in the
.siem-signals-*
index we can create automations using this information. For example, we could create an automation that regularly queries the workflow update fields for newly updated alert status and then use the username values to automatically update third party applications such as Slack or theHive with the information and assign tasks directly to the individual that acknowledged, closed, or opened the alert.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Metadata
Assignees
Labels
Security Solution Detection Alerts FeatureSecurity Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.Security Solution Detection Engine AreaSecurity Detection Response TeamLabel for the ResponseOps team (formerly the Cases and Alerting teams)label obsoleteNew value added to drive a business result