Measuring reaction to detection

Anna_Foxx · March 25, 2021, 2:28pm

Hi!

I want to know whether there is a functionality in Elastic Security to monitor reaction time to detection for example to count SLA. Is there smth called internal index from which I can get fields that will show me when my detection has been created and closed? And after that to build a dashboard based on reaction speed

Btw, can I escalate an alert to another analyst? Or mark it as false positive. Unfortunately, I haven't found such buttons

peter_luo · March 26, 2021, 4:21am

Not sure if that is built in feature yet, anyone from ELK can respond?

austinsonger · March 28, 2021, 5:48pm

So here is what I do for our clients when it comes to using Elastic SIEM and ensuring SLA:

Use JIRA Service Desk and use their SLA feature
Configure Elastic SIEM to create a ticket in JIRA automatically anytime a Detection is trigger in Elastic.
- Here is the easy of bulk editing script all of the detection rules
  - Elastic Security: Bulk Detection Rule Modification via Detection API - JIRA Connector
  - GitHub - austinsonger/Elastic-Security: Repo for Automations and other solutions for Elastic SIEM/Security.
So we basically subvert Elastic SIEM to JIRA for the initial detection and the following will show the information I have sent to JIRA:
- Elastic SIEM Connector to JIRA Service Desk Template #JIRA #Elastic · GitHub

austinsonger · March 28, 2021, 6:08pm

You can see if someone already has requested this feature in Github. And if you don't find anything, then you should request it.

Anna_Foxx · March 29, 2021, 8:49am

Thank you for your advice!

system · April 26, 2021, 8:50am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.