Detection Rules _Severity override based on multiple values

Hello,
I hope this is the correct section.
I need an advice. When creating some detection rules I would need to perform a severity override based on differents "source field" values, for istance:

Default severity: Medium
severity override
source field:user.name and source value: user.name1, user.name2

But this is not possible as I can only enter one value at a time in the source field. I have tried with both versions 7.1 and 8.1.

Could you suggest me some solutions to be able to perform this actions?

Best Regards

1 Like

Hi there @sbianco1978 :wave: Welcome to the community! :slightly_smiling_face:

So unfortunately, this multi-value override functionality doesn't exist at the moment in the UI. I went ahead and created this enhancement [Security Solution][Detections] Add support for more complex field overrides · Issue #131663 · elastic/kibana · GitHub that captures your request, so hopefully we can expand functionality here to support this use case.

That said, if you're willing to use the API, and if your expectation was for the above multi-value case to behave as an OR (e.g. mark the severity Low if user.name == user.name1 OR user.name == user.name2), then you could use the update API as a workaround to include additional severity_override values. While you can't add additional conditions in the UI, the API does allow setting additional conditions, and will use the matching condition with the highest severity.

So for example you could update the rule with the following severity_mapping:

  "severity_mapping": [ 
    {
      "field": "user.name",
      "operator": "equals",
      "severity": "low",
      "value": "userName1"
    },
    {
      "field": "user.name",
      "operator": "equals",
      "severity": "low",
      "value": "userName2"
    }
  ],

And when the rule executes if either user.name equals userName1 OR userName2, any alerts generated should be marked as Low severity. This should display without issue in the UI when editing the rule, however if you want to remove the additional condition that'll need to be done via the update API as well.

Hope this helps, and thanks for the feedback on using field overrides @sbianco1978!

Cheers!
Garrett

1 Like

Hi,
thank for the idea, I will try and I hope for a future implementation of the feature

Best Regards