elasticmachine
commented
6 months ago Pinging @elastic/response-ops (Team:ResponseOps)
Open Harmlos opened 6 months ago
elasticmachine
commented
6 months ago Pinging @elastic/response-ops (Team:ResponseOps)
elasticmachine
commented
6 months ago Pinging @elastic/security-detections-response (Team:Detections and Resp)
Describe the feature:
It is necessary to add a call to the custom component template for the system index .alerts-security.alerts in order to be able to add descriptions for custom fields.
Describe a specific use case for the feature:
In many installations, it is necessary to enrich data when creating an incident in one way or another.
These can be typical fields for all configurations:
They can also be non-typical fields:
These fields serve to simplify the work of system users in different installations. With an external system number present, the event is no longer viewed by other users. In one of the installations, the process of checking a file on VT is performed using Flask, which sends the file hash or URL as a request and updates the value in the event upon receiving a response. After this, users no longer need to perform routine operations on VT, significantly simplifying event processing and improving result quality.
Currently, in different installations, it is necessary to independently create a custom component template with field descriptions for correct mapping and add its call to .alerts-security.alerts-default-index-template. However, due to the lack of a default call to the custom component template, changes have to be made after each update.