Add KQL search bar to the security rules management interface #130842
Labels
Team:Detection Rule Management
Security Detection Rule Management Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Comments
|
If KQL bar is too complicated, providing filtering in the security rule management interface on the following would help
|
azasypkin
added
Team: SecuritySolution
|
Pinging @elastic/security-solution (Team: SecuritySolution) |
|
Any update on this ER? Is there another ticket we can track? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It would be great to see a KQL search bar in the Security > Rules page which can search more than the rule name.
Find newly created security rules we need to enable using the createdAt timestamp in the .kibana index. We can do a now-30d kql query to find new rules. There's over 600 rules and the created timestamp isn't available in the UI. This makes it difficult to identify new rules which have been released which we should enable. Currently we have to periodically review all 600 pre-built rules to find rules we need to clone. At the moment we have to use a python script to build a dashboard which searches the .kibana index for rules using the createdAt timestamp.
Filter index patterns to find rules we have data for i.e. search for winlogbeat index pattern to find rules for alerting on windows event logs. It's terribly time consuming to go through the rules to find rules we have data for, for example if we don't have registry data we want to exclude rules which require this from the rules page.
The text was updated successfully, but these errors were encountered: