I've opened up a case with Elastic Support but their first response didn't get it, so figured I'd try here as well.
Other EDR like Falcon have pretty good audit logs you can create alerts on but I haven't yet found a way to do a Slack notification for Response actions history | Elastic Security Solution [8.13] | Elastic which is kind of important.
Anyone solve this?
I couldn't find any index where this data was stored, and even looked at the hidden indexes.
Hi Matthew,
Thanks for reaching out with the query. I'm assuming you're running the
v8.13 stack. If so, the data that response actions history page uses is stored in .logs-endpoint.actions-<namespace> and .logs-endpoint.action.responses-<namespace> data streams. Those data streams write to indices that have a .ds- prefix. The former stores the action requests and the latter stores responses to the action requests.
I can't see the link to the support case you mentioned, but I imagine that you want to create slack notifications on response actions history so that you're notified when the status of a specific request changes from pending to failed or success as well as get notified whenever there's a new action request created (for any/all of your endpoints)?
We don't have such a feature on the response actions history yet but it certainly seems useful so please create an enhancement request for this on the Kibana repo where you can follow the discussion/progress on the ticket and tag it to Team: Defend Workflows. You can begin with assigning that ticket to me @ashokaditya and @dasansol92 .
Let us know if you need further help.
Thanks.
Regards,
Ash
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.
