I'm trying to understand how can I add alerts with actions like Slack to the SIEM rules...
The only way I found is to add a Watcher on the .siem indice.. but its not it, I want to get an actual alert to Slack with the Signal that was created, its a basic thing not?
I'm adding more issue, their is no way to create a Detection Rule with threshold... like no more then 10 hits... its a huge problem, what can I do? any thoughts?
At the moment you can only change it on rules you create using the REST API as it is not present on the UI jussssttt yet.
As for alerts with actions mentioned above, that feature is not in the current beta version but there is work being applied towards it. However, we cannot really comment on delivery timing as things change a lot depending on what is going on within the community.
Thanks for answering, the thing with the threshold is that I ment about threshold like the "conditions" in the watcher... so if the rule detected 10 hits in 1m then create new Signal... and my CISO just cannot work like that unfortunately, its just too hard to maintenance the detection rules and the watcher together and without UI, only JSON based managment.
I'm sure it will be much better in the near future but I think we will try more SIEM solutions :\
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.