Hello everyone,
We are looking for a way in Elastic Security to define the kibana.alert.workflow_tags field as a mandatory field.
The goal is that you cannot simply close alerts, but first have to set the kibana.alert.workflow_tags field and only then you can close the alert or, even better, set it directly when closing it.
Why this:
We have to regularly report how many of our alerts were false positive.
To do this, we set the value "false positive" for false positive alerts.
The following requirement applies: Alert is "false positive" then set the value of "kibana.alert.workflow_tags" to "false positive", if not or uncertain then open a case and set "kibana.alert.workflow_tags" to "case".
Unfortunately, the value in kibana.alert.workflow_tags is often forgotten, which then means additional, not insignificant effort and additional explanations to management.
Best regards