Updated to 7.8.1 last week and just noticed that we have a huge amount of external alerts now from panw.panos.
I've been working on updating event.kind to alert for mcafee and cylance logs, but that's kind of invisible currently due to panw. So how are we supposed to use external alerts? (Our Palo Alto produces so many 'alerts' that are totally ignorable)
Are the External Alerts 'meant to leave unfiltered'? Or are we supposed to use Logstash and for example remove the alert value when event.severity is 4 or lower? Or is there something I'm missing? Where is Eastic going with these External Alerts?
Sorry for the many question, i'm trying to understand where this feature is going in order to not spend time on this in the wrong way. Preferably I would like the total number of External Events to be lower and only show the more critical events, without having to configure a filter every time. Just thinking out loud, but a way to locally pin filters might help. Currently pinning filters is global? (i think) which make it more difficult to use, as SIEM / External Alerts filters are not applicable everywhere.
Also there are currently only event.category and event.module to aggregate on in the External Alerts graph. Are there any plans to add more fields, such as host.name, source.ip, destination.ip, event.dataset and others..
Tx and grtz