Is it possible to set kibana.alert.workflow as mandatory field

marcou · January 6, 2025, 11:32am

Hello everyone,
We are looking for a way in Elastic Security to define the kibana.alert.workflow_tags field as a mandatory field.
The goal is that you cannot simply close alerts, but first have to set the kibana.alert.workflow_tags field and only then you can close the alert or, even better, set it directly when closing it.

Why this:
We have to regularly report how many of our alerts were false positive.
To do this, we set the value "false positive" for false positive alerts.

The following requirement applies: Alert is "false positive" then set the value of "kibana.alert.workflow_tags" to "false positive", if not or uncertain then open a case and set "kibana.alert.workflow_tags" to "case".

Unfortunately, the value in kibana.alert.workflow_tags is often forgotten, which then means additional, not insignificant effort and additional explanations to management.

Best regards

Jatin_Kathuria · January 24, 2025, 1:00pm

Hey @marcou ,

As of today, there is no way to achieve this. Although, it is in our roadmap to ask an Analyst for the reason of closing an alert but I cannot give any timeline on that.

When we start doing that, we will try to take your feeback in purview.

Thanks

system · February 21, 2025, 1:00pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting Alerts and Actions to work Kibana elastic-stack-alerting	4	1236	April 8, 2021
Kibana: how to set up alerts on a boolean field Kibana	2	199	January 2, 2023
Kibana alert on boolean field possible? Kibana elastic-stack-alerting	3	741	December 1, 2020
Alert set in Kibana Kibana	2	377	May 19, 2017
Alert for every document based on the field value Kibana elastic-stack-alerting	6	1650	February 3, 2023

Is it possible to set kibana.alert.workflow as mandatory field

Related topics