Hello,
I hope this is the correct section.
I need an advice. When creating some detection rules I would need to perform a severity override based on differents "source field" values, for istance:
Default severity: Medium
severity override
source field:user.name and source value: user.name1, user.name2
But this is not possible as I can only enter one value at a time in the source field. I have tried with both versions 7.1 and 8.1.
That said, if you're willing to use the API, and if your expectation was for the above multi-value case to behave as an OR (e.g. mark the severity Low if user.name == user.name1 OR user.name == user.name2), then you could use the update API as a workaround to include additional severity_override values. While you can't add additional conditions in the UI, the API does allow setting additional conditions, and will use the matching condition with the highest severity.
So for example you could update the rule with the following severity_mapping:
And when the rule executes if either user.name equals userName1 OR userName2, any alerts generated should be marked as Low severity. This should display without issue in the UI when editing the rule, however if you want to remove the additional condition that'll need to be done via the update API as well.
Hope this helps, and thanks for the feedback on using field overrides @sbianco1978!
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.