Open dhurley14 opened 4 months ago
Pinging @elastic/security-detection-engine (Team:Detection Engine)
Pinging @elastic/security-detections-response (Team:Detections and Resp)
cc @approksiu @paulewing @banderror would be great to discuss where this work fits in. Similar efforts are apparently on Response Ops and Observability radar as well.
Describe the feature:
Provides a feature to display relationships (either directed or undirected) between security rules such that those relationships correspond to the relationships between the services that the rules monitor. This feature would be utilized during investigations by security analysts.
Problem Statement
Security analysts monitor services that oftentimes have dependencies and relationships upon other services. The events ingested by our connectors and agents don’t always have a field mapped to reflect these dependencies and thus discovering impacted services can be less than obvious. Reflecting the relationships that the services have within the rules monitoring those services can provide the connection necessary to facilitate linking events and alerts between services within the security solution.
During an investigation it is prudent for security analysts to determine whether connected systems are impacted. By representing the links between these systems and services through connections between rules, we can better arm security analysts with information on how certain alerts are related to one another. Some services are inaccessible without authorization from a preceding service so in some sense we could utilize this relationship in our rules to better represent severity and even offer alternative avenues of alert suppression.