oatkiller
commented
2 years ago What is meant by tokenize?
Open michaelolo24 opened 2 years ago
oatkiller
commented
2 years ago What is meant by tokenize?
michaelolo24
commented
2 years ago @oatkiller Allow user to take actions on fields of interest. So hover action such as filter in, filter out, investigate in timeline, etc... on relevant fields such as host.x, user.x, source.x etc...
PhilippeOberti
commented
1 month ago @michaelolo24 what should we do about this? Is it worth keeping this ticket around? Are we ever going to work on this?
Background:
Ref: https://github.com/elastic/security-team/issues/1590
A good amount of research and work has gone into providing users an easily human readable explanation of what may be going on with a given alert. This has manifested itself initially in the row renderers and then the alert reason statement. Currently the alert reason is a templated string with conditionals based on the available data that provides some utility to the users. Given the functionality already existing within the application via the row renderers, we would like to improve the alert reason by making it a tokenizable string that is indexed and also allows users to take actions upon the tokenized data such as filtering in, filtering out, and investigating the value in timeline.
Goal
The goal of this issue will be is to implement a tokenized reason statement that is both indexed and searchable as a string in Kibana, but is visible in tokenized format within the UI for the user to take action on. During the process notes should be made about the potential for allowing users to create their own templated reason strings.
TASKS
Following will be looked into in a future release:
Final Acceptance Criteria: