unixfreak0037
commented
5 years ago I'm gonna nix this one. If the analyst wishes to remove emails, they should state so explicitly (by clicking on the remediation button.) It's kind of like, in software development, having functions that say they do one thing but then also end up doing others things as well, I consider it bad form.
The biggest issue with this is if you add additional correlation in the future that brings in message ids for other reasons, forgetting that remediations automatically take place.
So I'm going to keep remediation it's own separate thing.
A possible compromise would be to force the user through a "remediation button click" if there are emails found that haven't been remediated in the event.
ACE should have some sort of trigger for the message-id observable that automatically remediates the email when it is added to an event.
Similarly, if an email is ever removed from an event, it should be restored.
Maybe the best way to do this is to actually trigger remediation based on the alert being dispositioned. So for example if a message-id alert is dispositioned as anything other than FP, IGNORE, or REVIEWED it should be remediated. That includes GRAYWARE and RECON dispositions as sometimes I will disposition junk phish or spam as those, manually remediate them, but not bother to create an event.