Alert triage enhancement ideas

willemdh · May 16, 2024, 8:15am

Hi everyone,

We've been using the alert assignment functionality for a few months now, and it has been incredibly helpful. It really helps us keep track of who worked on what alert. However, we've noticed a couple of issues that I wanted to bring up and see if anyone has suggestions or if these could be considered for future enhancements.

Assigning Multiple Alerts: Currently, we can't assign more than 100 alerts to a user at a time. When we click "Select all alerts," the "assign to user" option gets greyed out. This can be a bit frustrating when dealing with a large number of alerts. It would be great if this limit could be increased or removed altogether.
Automatic Assignment: Another idea we had is to automatically assign an alert to a user once they acknowledge or close it. This would streamline our process and save a bit of time. Has anyone else thought about this or found a workaround? And technically, is this something that could be done?

Would it be okay if I create a GitHub Enhancement Request for these functionalities? I think they would be awesome additions and could help improve the workflow for many users.

Thanks for any input!

Best, WillemD

yctercero · May 20, 2024, 6:49am

Hi @willemdh !

Thanks so much for reaching out with feedback. We are glad to see this feature has been useful and very happy to hear feedback on what ways we can improve it to be of even greater use.

Assigning multiple alerts - there may be an API workaround, but I'll need to double check and get back to you on that.
Automatic assignment - interesting! There is no workaround that I can think of. I can't, at the moment, think of any technical limitations in adding this functionality.

Please do create enhancement requests where you can follow any discussion/progress on the ticket. Please add the following tags to the tickets - "Team:Detection Engine", "Team:Detections and Resp" and feel free to assign to myself (@yctercero) or @Kseniiaign .

Many thanks!

willemdh · May 21, 2024, 8:02am

@yctercero Thanks for your feedback!

Create Kibana Security Alerts - Assigning multiple (>100) alerts to a user at once · Issue #183889 · elastic/kibana (github.com) and Kibana Security Alerts - Automatic User Assignment · Issue #183891 · elastic/kibana (github.com)

I don't think I have the rights to assign Labels?

Kseniiaign · May 21, 2024, 8:52am

Thanks for creating these @willemdh ! I have added assignments and labels.

Topic		Replies	Views
Feature Request: Alert Assignment to user SIEM	2	468	September 30, 2020
Any way to add assignees and/or tags in bulk? Elastic Security	1	43	January 1, 2025
UX improvements (Security app) SIEM	1	27	April 16, 2026
Adding alers to cases in bulk SIEM	2	171	June 12, 2024
Determine the user that acknowledged an Alert SIEM	6	695	January 18, 2024

Alert triage enhancement ideas

Related topics