See Who's changing signal detections

Can you see which account have changed the signal.status field in elastic? if not can this be looked into I think it would be really useful to see which analyst is closing which detections

Check more on Auditing

• Auditing security settings | Elasticsearch Guide [8.11] | Elastic
• Audit events | Elasticsearch Guide [8.11] | Elastic

ah i was hoping it could be in the event itself, so it appears in the siem-signals-* indcies for use in dashdoards etc

This is part of the reason why I use JIRA and you can read my response to another person question.

• Measuring reaction to detection - #3 by austinsonger

I'm sure elastic with add that down the road, but they already have enough in their backlog and items that are higher priority. But you can check here if someone has already created a feature request for this and if you don't, then you should add a feature request.

• https://github.com/elastic/kibana/issues?q=is:open+is:issue+label:"Team:+SecuritySolution"

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.