Tagging Signals with some metadata or tags

Hi, I wanted to know is it possible to tag signals with some keywords like False Positive / True positive / True Positive - not malicious, etc or would it require actually updating the document. I would be interested in measuring the signals and doing further analysis on it?

@forkhead thanks for another great request. You are blazing a trail across our workflow roadmap!

I wanted to know is it possible to tag signals with some keywords like False Positive / True positive / True Positive - not malicious, etc.

No, there is not currently an in-app or SIEM API-based means to add the kind of metadata that you describe to a signal. We do have future plans to augment signal state/disposition information available in signals.

or would it require actually updating the document.

Yes, since signals are indeed Elasticsearch documents stored in the .siem-signals-* indices, any additional metadata added to the signal would require updating the signal document. Note, the signal document is not the ingested event document, so there is never a need to modify the raw events.

I would be interested in measuring the signals and doing further analysis on it?

We agree that analysis on properly tagged signals is of key importance to measure SOC performance metrics.

Currently the signal document has a single "status" field which currently only supports "open" and "closed" states. See the Detections API Set Signals endpoint. An "in-progress" state is being developed as a next step.

One future idea is to add an additional field to the signals document, perhaps a "disposition" field, that when closing a signal, the user could select from a set of pre-defined keyword values, for example:

  • <leave blank>
  • false_positive_exception_created
  • false_positive_rule_modified
  • false_positive_dismissed
  • true_positive_case_created
  • true_positive_exception_created
  • true_positive_dismissed
  • no_finding

Any feedback on this future idea is welcome.

Thanks again!
Mike P.

Thanks, @Mike_Paquette for the information. Yup we would be interested in measuring SOC performance and also we would be interested in calculating a detections/signals true positive vs false positive ratio, the thinking behind it would be that if we are constantly generating a false positive on some detection/signal we need to tweak it to make it more relevant.

Yes, that sounds like a good start, not sure if other users would want to bring their own keywords for better customization and control.

Sure will do, just trying to get a better understanding on how the whole workflow could be for SOC and for IR.