I hope this is the correct section.
I need an advice. When creating some detection rules I would need to perform a severity override based on differents "source field" values, for istance:
Default severity: Medium
source field:user.name and source value: user.name1, user.name2
But this is not possible as I can only enter one value at a time in the source field. I have tried with both versions 7.1 and 8.1.
Could you suggest me some solutions to be able to perform this actions?
Hi there @sbianco1978 Welcome to the community!
So unfortunately, this multi-value override functionality doesn't exist at the moment in the UI. I went ahead and created this enhancement [Security Solution][Detections] Add support for more complex field overrides · Issue #131663 · elastic/kibana · GitHub that captures your request, so hopefully we can expand functionality here to support this use case.
That said, if you're willing to use the API, and if your expectation was for the above multi-value case to behave as an
OR (e.g. mark the severity
user.name == user.name1 OR user.name == user.name2), then you could use the update API as a workaround to include additional
severity_override values. While you can't add additional conditions in the UI, the API does allow setting additional conditions, and will use the matching condition with the highest severity.
So for example you could update the rule with the following
And when the rule executes if either
userName2, any alerts generated should be marked as
Low severity. This should display without issue in the UI when editing the rule, however if you want to remove the additional condition that'll need to be done via the update API as well.
Hope this helps, and thanks for the feedback on using field overrides @sbianco1978!
thank for the idea, I will try and I hope for a future implementation of the feature