Hi to everyone,
We use the ECS field 'organization.name" and "data_stream.namespace" to distinguish the organization name, and it work well with SIEM alert rules excluding those based on machine learning.
On this king of rules we are unable to determine the organization name because there isn't no one reference to it on alerts.
Is there any way to make the organization discoverable?
Hi @Crazyworlds - Thanks for reaching out! I just want to be clear about your question. Are you trying to make the organization name discoverable for ML rules?
Hi Michael,
We have some organization unit and to identify them we use the field "organization.name" and "data_stream.namespace".
These fields are populated in the indexes at ingestion time, and for all SIEM rule that are not ML related, we can identify the organization on witch the event is referred.
We have notice that on all pre built ML related rules this field are not populated and the only way to identify the organization referred is to analyze the related elements.
In this way the identification of the relevant organization takes more time than the analysis of the event itself.
For this reason I was asking if there was a way to ensure that the fields, used to identify the organization, were treated, and therefore present, also in the alerts generated by these ML rules.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.