How to only send an alert when severity is high

Hello,

So I created this rule that triggers on Azure risky signins:

Ans as you can see I made an override for the azure.signinlogs.properties.risk_level_during_signin field.

But now the alert I configured triggers on low, medium and high risky signins. While actually I only want alerts for high risky signins. Could a functionality be added that the alert only triggers when a certain condition is met, for example when "rule severity has one or more values"?

Grtz

Willem

Hi @willemdh!

This definitely sounds like really useful functionality. I found a few resources that may be of use here and could satisfy the behavior you are looking for.

Have you heard of building block rules? In your stated case, you could mark the rule in your example as a building block rule. This would still create the alerts but hide them from the UI so that they don't create unnecessary noise. Then you could create a rule that searches the alerts index for those with high severity. You can find info on building block rules here.

This other forum post might also be of help.

Let us know if those resources address your use case or if we can be of any further help.

Best,
Yara

As I do want to see all risky signins in the gui, i guess the only solution currently is splitting the rule in 3.

@willemdh you can still view all alerts if you'd like. You can find the filter here:

Screen Shot 2020-12-21 at 2.59.16 PM

@yctercero Thanks for the help and suggestions, but imho this type of rules is not a building block alert. My question was more specific for the email action which I only want to trigger for high severity alerts, not for low or medium alerts (due to the override). Migrating this to a building block rules and create a new rule to check for high severity alerts only for this specific rule seems a bit overkill. It seems much more logical to me to split up the rule in 3. Then I can provide custom settings and filters per severity.

Just noticed another issue with the email notification. I got an email with title "Elastic SIEM - high - Azure Risky Signin"

This is the configured macro:

"Elastic SIEM - {{context.rule.severity}} - {{context.rule.name}}"

But the email was sent for an alert which has a low severity (due to override).

This was also unexpected, so I guess another reason to split up the rule in 3?

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.