Central management for the detection actions #80342
Labels
enhancement
New value added to drive a business result
Feature:Detection Rules
Security Solution rules and Detection Engine
Feature:Rule Management
Security Solution Detection Rule Management area
Team:Detection Rule Management
Security Detection Rule Management Team
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Theme: TBD
Comments
|
Pinging @elastic/siem (Team:SIEM) |
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
|
Bulk adding rule actions/notifications is available in 8.5 #138900 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Centralised visibility/management of the detections rules and the actions applied.
At the moment setting actions of a SIEM detection requires editing every rule that we would want a action applied, for us this is anything over medium severity. However, from the SIEM Detections list there is no sort for anything other than Activated and no view within that of which have actions applied.
Currently on-premise we use elastalert, this is configured with a rule to alert via email for any detection of >= medium. This also allows us to suppress any alerts that might trigger on a system multiple times within a short period of time so that we receive less repetition.
I did consider creating an index pattern of .siem-signals-, a detection for any alerts over medium with an action, then realised this would write back to the detection and cause a loop. If there is a method of creating a detection without it writing back to .siem-signals- then it may help.
The text was updated successfully, but these errors were encountered: