Action export selected signals to csv


Just a thought for a SIEM feature. We have colleagues with limited or no acces to Elastic / Kibana. But sometimes they do need to get a list of some signals. Imho it would be super handy to be able to quickly export selected signals to csv, which we can the provide to whoever needs it.




Thanks for your feedback @willemdh!

It sounds like Kibana's Reporting

feature, which can export to CSV and PDF manually or automatically via watcher may be a fit for your use case, especially since your colleagues have limited or no access to Kibana. For transparency, I'll echo the sentiment in this reply to a similar question and note that there may be caveats that I'm not aware of, so in a pinch, you may want to reach out the experts in that area here.

Hey @Andrew_G,

Thnaks for your answer. I know the csv / pdf exporting feature exists (and I'm using it for other use cases), but afaik this is not possible from the Detections App. Imho it would save us all some time if we could do this directly from the detections app and only export the selected signals.

Thanks for your reply @willemdh. From the above, it sounds like you're looking for more of an interactive / integrated export experience instead of an automated report.

Would you be willing to describe your use case in a feature request and reply-back with a link so I can add the appropriate tags for visibility within the team?

I personally don't feel like it would be a popular request.

What is the "use case" exactly?

I personally don't feel like it would be a popular request.

I personally feel like I could really use this kind of functionality. The SIEM signals data is not exposed except to some security / soc personel. When we need to escalate this to application teams / management or others, they ask for details. A quick export to csv of only the selected signals and email / attach to a ticket to who needs it is the use case. This so they can know what's it about without needing access to the SIEM signals index and related datasets.

Maybe the reason I need this is because I have absolutely no use at all from the way the Kibana Case Incident Management System works currently. As I already tried to explain in Case Connectors the limited amount of supported ITSM connectors and the fact that we cannot use a webhook might lead to me needing other ways to share relevant signals and info to stakeholders.

Allowing a quick export to csv of only the selected signals would imho be much quicker and easier then having to drag the signals to a timeline, then create a case from the timeline, then find some way to create an ITSM ticket which has the same data as in the Kibana case.

Export to csv should take like 3 sec and attach this csv to an itsm ticket could take another 10s which together is a lot shorter then what I got to do now. Exporting to csv would also allow to import in excel or sth similar and further aggregate / analyse there. (Some people (like mgmt) will never use a tool like Kibana, but Excel comes natural for them)

You can just copy the json from the signal.

Not sure what copying the json of 1 signal has to do with my enhancement request of being able to export multiple signals (possible 100 or more) to csv from the Actions dropdown? (In the implementation I was thinking of, I'd also assume only the fields which are selected in the Detections overview are exported to csv, not all json fields)

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.