We've been using the alert assignment functionality for a few months now, and it has been incredibly helpful. It really helps us keep track of who worked on what alert. However, we've noticed a couple of issues that I wanted to bring up and see if anyone has suggestions or if these could be considered for future enhancements.
Assigning Multiple Alerts: Currently, we can't assign more than 100 alerts to a user at a time. When we click "Select all alerts," the "assign to user" option gets greyed out. This can be a bit frustrating when dealing with a large number of alerts. It would be great if this limit could be increased or removed altogether.
Automatic Assignment: Another idea we had is to automatically assign an alert to a user once they acknowledge or close it. This would streamline our process and save a bit of time. Has anyone else thought about this or found a workaround? And technically, is this something that could be done?
Would it be okay if I create a GitHub Enhancement Request for these functionalities? I think they would be awesome additions and could help improve the workflow for many users.
Thanks so much for reaching out with feedback. We are glad to see this feature has been useful and very happy to hear feedback on what ways we can improve it to be of even greater use.
Assigning multiple alerts - there may be an API workaround, but I'll need to double check and get back to you on that.
Automatic assignment - interesting! There is no workaround that I can think of. I can't, at the moment, think of any technical limitations in adding this functionality.
Please do create enhancement requests where you can follow any discussion/progress on the ticket. Please add the following tags to the tickets - "Team:Detection Engine", "Team:Detections and Resp" and feel free to assign to myself (@yctercero) or @Kseniiaign .
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.