elasticmachine
commented
1 month ago Pinging @elastic/security-defend-workflows (Team:Defend Workflows)
Open nicpenning opened 2 months ago
elasticmachine
commented
1 month ago Pinging @elastic/security-defend-workflows (Team:Defend Workflows)
ferullo
commented
1 month ago @cmacknz @andrewkroh since this would be implemented in Beats, is the beats repository the right one to move it to?
cmacknz
commented
1 month ago I would expect this can be done similarly to https://github.com/elastic/kibana/issues/179915 where we could have Fleet add a drop_event processor to every integration automatically.
CC @nimarezainia
elasticmachine
commented
1 month ago Pinging @elastic/fleet (Team:Fleet)
Describe the feature: I would like the ability to use Event Filters for all integrations that send data to Elasticsearch to reduce event noise from the host instead of having to manipulate the ingest pipelines to do this. Plus, this would reduce workload to the Elastic stack if the event were simply not sent to the ingest pipelines to begin with. Today, only Elastic Defend events can be filtered out but I would also like to filter our noisy Windows Events that may occur.
Describe a specific use case for the feature: Today we identified a host that was sending millions of events any hour for an event log that usually would only send a few events per week. I wanted to quickly exclude this specific host from sending these millions of events using an event filter but could not since the event filters do not apply to the Windows integrations. So instead, I must and a processor to the ingest pipeline for which this system lives or add it to a new policy that does not capture this event type. In this example the event provider was Microsoft-Windows-WHEA-Logger and a host has some serious hardware issues.