Closed inspired closed 3 years ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
@inspired @P4T12ICK no updates here?
As a side note sendtophantom may not be the best example because the Notable Event ID has not yet been generated (it gets generated by the Notable Alert Action). In this case a scheduled search on BACKTICKSnotableBACKTICKS is probably the way to go
It would be great to be able to have ES adapative responses to use as own objects to attach to detection rules and/or analytical stories. Detection's need also to support throttle period, so SOC analyst can adjust the alert mechanisms.
Sorry for my ate reply. We should work on supporting some more alert actions. I will have a look into ES adaptive responses. Adding Throttling should be an easy fix.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
As a user I would like to be able to define my detections with custom alert actions besides "notable", "risk" and "email". An example of a custom alert action would be "sendtophantom"
We should support the alert actions listed above or allow custom built-in alert actions (not on our pre-defined list), as well as additional params necessary for i.e. integration with ticketing systems or similar.
Whether this should be done using tags, on a deployment or detection level is something I'll leave up to you.
Discussed with @P4T12ICK