Closed inspired closed 3 years ago
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
phplucas
commented
3 years ago @inspired @P4T12ICK no updates here?
inspired
commented
3 years ago As a side note sendtophantom may not be the best example because the Notable Event ID has not yet been generated (it gets generated by the Notable Alert Action). In this case a scheduled search on BACKTICKSnotableBACKTICKS is probably the way to go
nbheu1
commented
3 years ago It would be great to be able to have ES adapative responses to use as own objects to attach to detection rules and/or analytical stories. Detection's need also to support throttle period, so SOC analyst can adjust the alert mechanisms.
P4T12ICK
commented
3 years ago Sorry for my ate reply. We should work on supporting some more alert actions. I will have a look into ES adaptive responses. Adding Throttling should be an easy fix.
stale[bot]
commented
3 years ago This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
As a user I would like to be able to define my detections with custom alert actions besides "notable", "risk" and "email". An example of a custom alert action would be "sendtophantom"
We should support the alert actions listed above or allow custom built-in alert actions (not on our pre-defined list), as well as additional params necessary for i.e. integration with ticketing systems or similar.
Whether this should be done using tags, on a deployment or detection level is something I'll leave up to you.
Discussed with @P4T12ICK