elasticmachine
commented
1 year ago Pinging @elastic/security-solution (Team: SecuritySolution)
Open nicpenning opened 1 year ago
elasticmachine
commented
1 year ago Pinging @elastic/security-solution (Team: SecuritySolution)
Describe the feature: There are two features but not sure if 2 FR are needed as they live on the same page and in the same flow.
1. Update Wording
In the Security -> Rules -> Detection rules (SIEM) -> Create New Rule -> Step 1. You see this:
In the context of security, detecting "issues" may not represent what is needed here. This may be generic, but issues is not what we are searching for. We are searching for events or threats or something a little more broad. This seems to be observability based. It is pretty nit picky but figured I would mention it. Perhaps the wording could be "Use KQL or Lucene to match events across indices".
2. Display Data View Names when Selecting Data Views and not the index patterns (or show both).
When following along in the rule creation step and select Data View, you will see that only index patterns are displayed and not the Data View name.
Describe a specific use case for the feature: As a security analyst, I would like to select Data Streams based on the Data Stream name as that is what I am used to seeing in Discover and other features of the stack. I do not want to have to correlate index patterns to data view names that are being used in Dashboards and other places.
For example, we have names almost all of our Data Streams for an easy to understand what context we are searching on:
Above you can see Carbon Black and Azure events have better display names in Discover then they do as a selection item in the rule creation.