Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Personalization of the Highlighted fields in an Alert Rule #131778

Closed
Tracked by #165878
StevenZD opened this issue May 8, 2022 · 17 comments
Closed
Tracked by #165878

Personalization of the Highlighted fields in an Alert Rule #131778

StevenZD opened this issue May 8, 2022 · 17 comments
Assignees
Labels
enhancement New value added to drive a business result Feature:Detection Alerts Security Solution Detection Alerts Feature Team:Detection Engine Security Solution Detection Engine Area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.

Comments

@StevenZD
Copy link

StevenZD commented May 8, 2022

In Kibana Security, there are some alert that are triggered by Alert Rules.
When looking at the details of an alert, there is a sidebar that shows the Highlighted fields. these filed are supposed to be the most relevant ones, but often are not

image

The request would be to define within the alert rule what Highlighted fields should appear (and in what order).

thank you

@botelastic botelastic bot added the needs-team Issues missing a team label label May 8, 2022
@jsanz jsanz added the Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) label May 11, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

@botelastic botelastic bot removed the needs-team Issues missing a team label label May 11, 2022
@pradeep577
Copy link

This is good request so we dont have to parse 10 pages... I was directed here by support Case Update for #01026854.

Please consider this a feature request. Kindly give us option to manage the fields via GUI and not through code.

@sophiec20 sophiec20 added Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. and removed Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) labels Sep 7, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@chadnormanimpact
Copy link

Agree please could we get this feature implemented.

@emilyastranova
Copy link

Would really like to see this implemented

@spong spong added triage_needed Team:Detections and Resp Security Detection Response Team Feature:Detection Alerts Security Solution Detection Alerts Feature Team:Detection Rule Management Security Detection Rule Management Team Team:Detection Alerts Security Detection Alerts Area Team labels Jan 24, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@StevenZD
Copy link
Author

Any update on this?
with the latest update it would be also very relevant to be able to customize the Alert Reason. (the generic text is totally useless...)

@majesticbuffalo
Copy link

I would also really like to see this implemented. 90% of the detections I work with now have highlighted fields that are not relevant to the investigation. If unable to add to the gui of rule config, might we be able to add the desired highlighted fields to the rule query similar to how SPL uses the "table" command?

@spong
Copy link
Member

spong commented Mar 1, 2023

While I don't have any updates on this particular issue of personalizing the highlighted fields, there has been some headway to addressing this sort of customization with the new 'insights in markdown' features added in 8.6 (#145240) and more importantly their integration with Investigation Guides, Timeline Notes, and other markdown fields coming in 8.7 (#150363).

With the latter you'll be able to provide custom markdown that can be used to surface particular fields from alerts in the alert details flyout, e.g.

So hopefully this helps bridge the gap as we continue to add further customization here. We definitely appreciate all your feedback, so thank you for taking the time to submit it, and of course continue to watch this issue for updates. 🙂

@hatl3n
Copy link

hatl3n commented Apr 12, 2023

Oh yeah, this would be great. Was just making a rule and would love for the winlog.event_data.Subject field to just be there. This is especially important for rules that doesn't follow the Elastic Common Schema, as it's often not easy for the responder to know which fields to look for.

@emilyastranova
Copy link

Oh yeah, this would be great. Was just making a rule and would love for the winlog.event_data.Subject field to just be there. This is especially important for rules that doesn't follow the Elastic Common Schema, as it's often not easy for the responder to know which fields to look for.

Yeah really hoping this PR goes through: #152871

@g0tr3wt
Copy link

g0tr3wt commented Apr 25, 2023

I would also like to second the request to modify (or otherwise customize) the Alert Reason field in Elastic Security. Ideally, it would be something we could specify when creating a new rule, giving users the ability to select the default Alert Reason, a predefined/saved Alert Reason, or a custom Alert Reason.

A potential use-case for a custom or saved Alert Reason would be as-follows:

event.category event by user.name triggered kibana.alert.severity alert kibana.alert.rule.name on sensor.name after performing event.action action for organization.name in organization.id from source.geo.country_iso_code IP source.address at @timestamp.

This could/would look something like this:

iam event by john.doe triggered low alert AWS IAM Group Creation on sensor-aws980 after performing CreateGroup action for NotACorp, inc. in Dev-prod from US IP xx.xx.xx.xx at 2023-04-25 @ 12:53:32.732.

@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Detection Alerts Security Detection Alerts Area Team labels May 13, 2023
@gittihub123
Copy link

Hi team,
Any update on this one?

We need to use the discover tab when we want to dig deep into the alert. Would be great to have:

  1. A discover button on the alert so it's easy to get forwarded to the alert and also get the timestamps right.
  2. Possibility to customize the highlighting fields based on personal preference.
  3. Context to the alert discover tab when sending out the alert with the connector.

One way to work around the issue right now is to manually create a search query in discover and paste it in the connector alert but we don't get the timestamps of the alert that way.

Thanks.

@yctercero
Copy link
Contributor

Hey folks - working on this feature in this PR.

@g0tr3wt
Copy link

g0tr3wt commented Oct 4, 2023

Me waiting for this feature 🥶

@yctercero
Copy link
Contributor

Hey @g0tr3wt ! Happy to update that this was released in 8.10 🎉 You can find it documented here under 'Custom highlighted fields'.

@g0tr3wt
Copy link

g0tr3wt commented Oct 11, 2023

Woot! Thank you @yctercero!!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New value added to drive a business result Feature:Detection Alerts Security Solution Detection Alerts Feature Team:Detection Engine Security Solution Detection Engine Area Team:Detection Rule Management Security Detection Rule Management Team Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Projects
None yet