Customize SIEM Detection columns based on alert

Hello,

it seems like the Columns in the SIEM Application are more or less static and if I want a new value to de displayed I have to add it to the entire mask which might lead to unpopulated fields in certain alerts.

Take this picture as an example:

This table assumes that every single detection has a username, if I get information about potential C2C communication, that log most likely will not have a username field populated so it is quite literally useless information.
Is there any way to have these fields be dynamic, based on the type of detection it displays? So far I wasn't able to find any way.

Hi @madduck, I hope you are well.

it seems like the Columns in the SIEM Application are more or less static and if I want a new value to de displayed I have to add it to the entire mask which might lead to unpopulated fields in certain alerts.

What you've observed is true for the Alerts table at the bottom of the Detection page in the SIEM/Security App. The columns are static, and we've attempted to create a default column set that is useful for alert triage, and provides a good compromise for many common alert types.

However, as you've pointed out, there are many alerts for which you may want to have a custom selection and order of columns, and perhaps even more customization. We are exploring ideas for making the alert triage experience from the Alerts table even better in the future.

Today, you can get a custom alert view like what you've described just one click away in Timeline. When you click on the Alert's "Investigate in timeline" button, you are taken to the Timeline investigation workspace, but behind the scenes a timeline template which can be unique for every detection rule, allows you to specify the optimum column selection and column order for investigating alerts generated by each rule.

Perhaps equally as helpful (IMO), is that the filters you include in the Timeline Template can specify an automatic substitution of the values from the corresponding fields from the selected alert to be applied when you open the timeline. So not only do you have customized columns, but you also have your alerts and events filtered down to the entity you're most interested in investigating.

I commonly create a timeline template for a group of rules I'm planning to create. I start in a new Timeline or Template, filtering for some events that I expect to alert upon, create a column set and order that helps me see the fields that I'm likely to want to pivot on during my investigation of actual alerts, then I save the Timeline as a Template.

Later when I create the set of rules, I make sure to specify the Timeline Template during the rule creation process step 1, rule definition, here.

Finally, when my rules generate alerts, I click on the "investigate in timeline" button, and I hit the ground running in Timeline!

Have you experimented with Timeline Templates? Would love to hear your feedback.