Identifying User Who Acknowledged Security Alerts

ej210 · July 19, 2024, 4:33pm

Hello, I have not been able to find any documentation or threads but apparently there might be a way to track who acknowledged alerts within Kibana Security, it appears the field "kibana.alert.workflow_assignment_ids" contains per docs "List of users assigned to an alert.

An array of unique identifiers (UIDs) for user profiles, for example: ["u_1-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_0, u_2-0CcWliOCQ9T2MrK5YDjhpxZ_AcxPKt3pwaICcnAUY_1"]

UIDs are linked to user profiles that are automatically created when users first log into a deployment. These profiles contain names, emails, profile avatars, and other user settings.".

How do you determine using that UID who exactly the user is though? Thanks for any assistance!

isorokopud · July 22, 2024, 10:45am

Hey @ej210!

If you wanna track who updated alert's status you should use kibana.alert.workflow_user field instead. The kibana.alert.workflow_assignment_ids field is used for tracking users assigned to the alert. Also, kibana.alert.workflow_status_updated_at will show the time when the status was last updated.

To fetch user profile details having a UUID, you can use these APIs.

Let us know if that helps!

system · August 19, 2024, 10:45am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Elastic - user account Elastic Security	2	31	August 14, 2024
Determine the user that acknowledged an Alert SIEM	6	470	January 18, 2024
Alert triage enhancement ideas SIEM	4	215	June 18, 2024
Can we trigger alert to end user filter from log message Kibana elastic-stack-alerting , kql-kibana-query-language	2	237	September 18, 2023
Feature Request: Alert Assignment to user SIEM	2	439	September 30, 2020

Identifying User Who Acknowledged Security Alerts

Related topics