Hello, what exactly is "External Alerts" in the SIEM rules? It doesn't do anything for us.
For us it's any other alert triggered by another security tool like Palo Alto. I get a ton of URL_Filtering alerts from my Palo's marked as External Alerts.
I wish it would just be a default action rule, because I need to set the email alert action for every rule that we activated... over 500 rules and need to set the email alert one by one. My hope was "External Alerts" would apply to all alerts not from the Elastic Security rule.
Have you ever thought about the possibility that configuring all this amount of email alerts can lead to many false positives and wear on the triage of events?
In fact, external alerts are alerts produced by tools such as IPS rules in a fortigate, DLP rules in office 365, Elastic endpoint alerts, among others.
That's the point of a SIEM, we receive tons of false positives, look at them, then tuned them accordingly - every network/environment is different. After a month, things are quieter, and when there's an alert, it becomes closer to be a true positive.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.