Description
openedon Dec 17, 2020
Describe the feature:
Ability to manually or auto adjust multiple Risk score settings and define an action within a single detection rule
Describe a specific use case for the feature:
In the example below, I am starting with a high severity detection with a risk score of 73. When I override the severity, with low and medium events, there is no way to adjust the risk score numbers for both of these overrides.
It is also not possible to define an action, based on the severity. For example, if we want an email to be sent only for high severity events. It should be possible to define an action which only triggers if some condition is met (for example signal.rule.severity : high)
After speaking to a colleague, it was mentioned the risk score override only supports a single value exact match against number fields, so pretty limited in its current state.
A couple potential options -
- allow the user to manually specially the risk score for each override (multiple)
- automatically adjust the risk score based on the overrides severity (i.e low = 21, medium = 47, high = 73, critical = 100)