Hi,
I'm trying to understand how can I add alerts with actions like Slack to the SIEM rules...
The only way I found is to add a Watcher on the .siem indice.. but its not it, I want to get an actual alert to Slack with the Signal that was created, its a basic thing not?
Thanks!
I'm adding more issue, their is no way to create a Detection Rule with threshold... like no more then 10 hits... its a huge problem, what can I do? any thoughts?
Although it is not surfaced in the UI just yet, there is a max_signals which acts as a threshold and by default limits the amount of signals to 100:
https://www.elastic.co/guide/en/siem/guide/current/rules-api-create.html
At the moment you can only change it on rules you create using the REST API as it is not present on the UI jussssttt yet.
As for alerts with actions mentioned above, that feature is not in the current beta version but there is work being applied towards it. However, we cannot really comment on delivery timing as things change a lot depending on what is going on within the community.
Thanks for answering, the thing with the threshold is that I ment about threshold like the "conditions" in the watcher... so if the rule detected 10 hits in 1m then create new Signal... and my CISO just cannot work like that unfortunately, its just too hard to maintenance the detection rules and the watcher together and without UI, only JSON based managment.
I'm sure it will be much better in the near future but I think we will try more SIEM solutions :\
Thanks again! You are doing an amazing work!
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.