elastic / kibana

Your window into the Elastic Stack
https://www.elastic.co/products/kibana
Other
19.69k stars 8.23k forks source link

Defend Agent "Malicious Behavior" separated out by their associated rule #171585

Open jcoyne-elastic opened 1 year ago

jcoyne-elastic commented 1 year ago

Describe the feature: The Threat Detection team is requesting Defend Agent "Behavior" rules to be separated out by their associated "rule".

Describe a specific use case for the feature: As of right now, in Elastic Defend there are 4 primary groups of policies/detections: "Malware", "Ransomware", "Memory Threat", "Malicious behavior" which can each be in "Detect" or "Prevent" protection level. There is a large number of rules that are all included under "Malicious Behavior" (https://github.com/elastic/protections-artifacts/tree/main/behavior/rules), however these rules are all included in a single detect/prevent policy option. For detections, all Defend/Endpoint agent alerts are part of one single rule (screenshot below). While these dynamically include the sub-rule when an alert is created (screenshot below), for each these rules, Elastic Infosec (and very likely other customers) will want to review the specific rule and toggle which ones are on vs off (as some rules might not be appropriate for a specific environment) as well as add detail or context such as lowering the severity for certain rules or tuning the rule if needed.

image image
elasticmachine commented 1 year ago

Pinging @elastic/security-solution (Team: SecuritySolution)