I have several SOC analysts in my SIEM and need to figure out the following:
How do I determine who acknowledged an alert?
How can the analysts filter their acknowledged alerts so they only see what they have acknowledged and nothing else?
How do I determine which analyst closed an alert and filter by the tags they used i.e. FP, Duplicate etc?
It just feels difficult to use in a team. I understand how powerful elastic is, but this seems like a basic requirement for SIEMs that should be available out of the box.
Thanks Vitalii but that doesn't really answer the question. Changing the status will show me ALL acknowledged alerts. This is not very user friendly and does not address a real practical SOC environment's needs where there are tens if not hundreds of alerts and many soc analysts working them. When a user acknowledges an alert, that user's name should be tagged to the alert and they can filter based on the alert status and their names. As a matter of fact, we should be able to assign an alert to a user irrespective of the alert's status. In case you want to suggest that the alert should be assigned to a case and then worked from there, I would counter that not all alerts should become cases. In a real SOC we see many false positives that an analyst can do a basic triage and close them without making a case of it. IMHO cases should be for alerts that require further or deeper investigation.
Thank you for giving more details on the use case.
Unfortunately, it's not possible to filter out alerts based on acknowledged user. Filtering would only apply to all alerts.
I think, earlier mentioned PR , could address this once released
Tags feature Manage detection alerts | Elastic Security Solution [8.11] | Elastic allows to group alerts and also create custom tags.
I wonder if this can be used as workaround for your use case? Creating custom tag for SOC analyst and then apply it when alert is acknowledged. Then, alerts can be grouped and filtered based on the custom tag.
Thanks Vitalii. I looked at the PR and it does indeed address most of these concerns.
One other feature I would love to see is to add a comment section and disposition to the workflow for closing alerts. Again, when dealing with many alerts we may want to close some of them with a comment without turning them into a case.
So it would be like: select alerts > Mark as CLosed > Enter comment (optional), Enter disposition or tag (FP, Tuning required, Benign etc. > Closed.
That would be very useful and add functionality that exists in most SIEMs I have used - Splunk ES, Qradar, Logryhthm etc.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.
