Hello Elastic Security Community,
I'm currently working with Elastic Security and have implemented several exception rules to fine-tune my alert system. However, I've encountered a challenge: I need to measure the effectiveness of these exception rules by tracking how many times each rule has been triggered.
From my understanding, Elastic Security doesn't provide a direct metric or counter for this. I'm looking for guidance or strategies on how to achieve the following:
- Determine the number of times an exception rule has been hit.
- Understand the impact of these exceptions on overall alert volume.
Specifically, I'm interested in any approaches that could be integrated within the existing Elastic Stack framework, such as Kibana visualizations, Elasticsearch queries, or any other effective methods that community members have used.
Any insights, experiences, or recommendations on this would be greatly appreciated. Thank you in advance for your assistance!
Edit
I wanted to add an important detail to my idea regarding tracking exception rule hits in Elastic Security. My approach involves utilizing the ID associated with each exception. I've noticed these IDs in the alerts affected by the exceptions, but they are currently marked as an 'unknown field'. This issue might be related to field mapping in Elasticsearch.
I believe that if we can correctly identify and map these fields, it would enable more effective querying. This could potentially lead to the creation of informative dashboards that accurately reflect the impact of our exception rules. Does anyone have insights on properly mapping these 'unknown fields', or has anyone faced a similar challenge?
Best regards