Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security Solution] Add support for more complex field overrides #131663

Open
spong opened this issue May 5, 2022 · 4 comments
Open

[Security Solution] Add support for more complex field overrides #131663

spong opened this issue May 5, 2022 · 4 comments
Labels
enhancement New value added to drive a business result Feature:Rule Creation Security Solution Detection Rule Creation workflow needs product Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM

Comments

@spong
Copy link
Member

spong commented May 5, 2022

As detailed in this discuss post, there is a user need for more sophisticated field overrides. So for example, instead of a simple field to value mapping for severity like user.name === 'Testuser -> High Severity, something like multi-value support user.name === user.name1, user.name2 -> High Severity.

While expanding the value selector to be a multi-select would satisfy this enhancement request, a full-featured approach here that could be adapted to all field overrides would be a nice improvement. When originally implementing the field overrides, I had envisioned an advanced input that provided the alert data as the context, and then would allow the user to either use the Kibana Expression Language or another scripting language (painless?) to write complex evaluations using the alert context. This could then be adapted for use with Severity/Risk Score Override, and Rule Name Override as well.
@spong spong added triage_needed enhancement New value added to drive a business result Feature:Detection Rules Security Solution rules and Detection Engine Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:Detection Rule Management Security Detection Rule Management Team labels May 5, 2022
@elasticmachine
Copy link
Contributor

Pinging @elastic/security-detections-response (Team:Detections and Resp)

@elasticmachine
Copy link
Contributor

Pinging @elastic/security-solution (Team: SecuritySolution)

@peluja1012 peluja1012 added Feature:Rule Creation Security Solution Detection Rule Creation workflow and removed Feature:Detection Rules Security Solution rules and Detection Engine labels Aug 3, 2022
@banderror banderror changed the title [Security Solution][Detections] Add support for more complex field overrides [Security Solution] Add support for more complex field overrides Oct 25, 2022
@banderror banderror added Team:Detection Alerts Security Detection Alerts Area Team and removed Team:Detection Rule Management Security Detection Rule Management Team labels Oct 25, 2022
@defendable-forfot
Copy link

Seems like this issue has been relatively quit recently and we want to bring further attention to it. While more complex field overrides as described above may help solve our issue, I still want to highlight another use case where we have ran into issues with the current severity override.

We are ingesting data from various security solutions which use a different numeric scale to determine severity. The existing severity override being explicit event.severity == 1 -> Low leaves no room to standardize event.severity that follows a [1-10] range, where event.severity == [1-4] -> Low could be a use case. Determining a severity override across a range of values (relative overrides) is something I would believe would be a basic feature within a SIEM solution such as Elastic Security. However, this does sadly not seem to be case through the severity override capabilities.

Implementation of complex overrides would allow us to at least specify which numeric values we want mapped to a certain severity, but being able to use a relative range could also be a useful feature. While we would want to see the latter, we see how complex overrides would be a more straightforward and universal solution to provide.

@yctercero yctercero added Team:Detection Engine Security Solution Detection Engine Area and removed Team:Detection Alerts Security Detection Alerts Area Team labels May 13, 2023
@elasticmachine
Copy link
Contributor

Pinging @elastic/siem (Team:SIEM)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New value added to drive a business result Feature:Rule Creation Security Solution Detection Rule Creation workflow needs product Team:Detection Engine Security Solution Detection Engine Area Team:Detections and Resp Security Detection Response Team Team: SecuritySolution Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc. Team:SIEM
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@peluja1012 @spong @banderror @yctercero @elasticmachine @defendable-forfot