Identifying User Who Acknowledged Security Alerts

Hello, I have not been able to find any documentation or threads but apparently there might be a way to track who acknowledged alerts within Kibana Security, it appears the field "kibana.alert.workflow_assignment_ids" contains per docs "List of users assigned to an alert.

An array of unique identifiers (UIDs) for user profiles, for example: ["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]

UIDs are linked to user profiles that are automatically created when users first log into a deployment. These profiles contain names, emails, profile avatars, and other user settings.".

How do you determine using that UID who exactly the user is though? Thanks for any assistance!

Hey @ej210!

If you wanna track who updated alert's status you should use kibana.alert.workflow_user field instead. The kibana.alert.workflow_assignment_ids field is used for tracking users assigned to the alert. Also, kibana.alert.workflow_status_updated_at will show the time when the status was last updated.

To fetch user profile details having a UUID, you can use these APIs.

Let us know if that helps!

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.