Open jtavan opened 2 years ago
n3tsurge
commented
2 years ago You would want one card to summarize all events that have the observable say hostname: brian-pc instead of many cards grouped by signature that relate to hostname: brian-pc?
jtavan
commented
2 years ago I think I might like to have an accordion-folding header for hostname: brian-pc with an event count (or grouped event count, or both) on it, which if clicked will expand open to show all the events (or grouped events). Many security tools I've used have some concept like this, and it can be helpful.
n3tsurge
commented
2 years ago That makes perfect sense, this is something we had talked about internally and deemed "nice to have" for a future release. Would you consider this something you would need to have to continue usage of ReflexSOAR or more of a nice to have knowing you can get around it by getting creative with filters? This just helps me determine where it may fall on a roadmap plan.
jtavan
commented
2 years ago It's definitely a "nice to have" for me, not nearly as important as activity streams/actions/detections and other core functionality.
Describe the solution you'd like In the events view, it would be very helpful to be able to select a "Group By" field and then show an aggregated view of events grouped by the selected field. Example: Group By Hostname to see all the different hosts that have events in the system, or Group By Department to map event clusters to specific organization units.
Describe alternatives you've considered We can already filter on a specific single observable value to drill down to a specific computer or hash or whatever, but some of the power of the events view is that it can group similar events, so how about taking the grouping one step further in the view and grouping non-identical-but-related events?