Skip to content

[Request] Risk Score calculation for "closed" alerts #6254

New issue
New issue
Closed
#6271
Closed
[Request] Risk Score calculation for "closed" alerts#6254
#6271
Assignees
natasha-moore-elastic
Labels
Docset: ESSIssues that apply to docs in the Stack releaseDocset: ServerlessIssues for Serverless SecurityEffort: SmallIssues that can be resolved quicklyFeature: Entity AnalyticsFeatures or enhancements for any of the Entity pagesPriority: MediumIssues that have relevance, but aren't urgentTeam: Entity Analyticsv8.18.0
@abhishekbhatia1710

Description

@abhishekbhatia1710
abhishekbhatia1710
opened on Nov 27, 2024

Description

We are introducing a new feature that allows users to include "closed" alerts in risk score calculations. This enhancement improves the user experience by providing a more comprehensive view of the system.

Users can toggle a button to include closed alerts in the risk score calculation and specify a date/time range for the calculation. Additionally, they can preview the data before finalising and saving these changes for the next engine run.

Image

Background & resources

  • PRs:

Test environments:

Kibana: https://kibana-pr-201909-security-f6e262.kb.eu-west-1.aws.qa.elastic.cloud/login
Elasticsearch: https://kibana-pr-201909-security-f6e262.es.eu-west-1.aws.qa.elastic.cloud/

Credentials:
vault read -address=https://secrets.elastic.co:8200 secret/kibana-issues/dev/cloud-deploy/kibana-pr-201909-security

Kibana image: docker.elastic.co/kibana-ci/kibana-serverless:pr-201909-d0f22970266f

Which documentation set does this change impact?

ESS and serverless

ESS release

8.18

Serverless release

Next release

Feature differences

The feature is identical in ESS and serverless

API docs impact

New API endpoint : api/risk_score/engine/saved_object/configure
User can send a PUT request to this endpoint to use the feature to include closed alerts for risk score calculation
User can send below information with the request :

exclude_alert_statuses : ["open", "closed"]
range : {"start" : "now-40m", "end" : "now"}
exclude_alert_tags : ["False positive"]

For example :

curl --location --request PUT 'http://localhost:5601/api/risk_score/engine/saved_object/configure' \
--header 'kbn-xsrf: hello' \
--header 'elastic-api-version: 2023-10-31' \
--header 'x-elastic-internal-origin: test' \
--header 'Content-Type: application/json' \
--header 'Authorization: <REDACTED>' \
--data '{
    "exclude_alert_statuses" : ["open", "closed"],
    "range": {
        "start" : "now-23m",
        "end" : "now"
    },
    "exclude_alert_tags" : ["False-positive"]
}'

Prerequisites, privileges, feature flags

No response

Metadata

Metadata

Assignees

Labels

Docset: ESSIssues that apply to docs in the Stack releaseDocset: ServerlessIssues for Serverless SecurityEffort: SmallIssues that can be resolved quicklyFeature: Entity AnalyticsFeatures or enhancements for any of the Entity pagesPriority: MediumIssues that have relevance, but aren't urgentTeam: Entity Analyticsv8.18.0

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions