[Cases][Security Solution] Bulk add alerts to cases #113853
Comments
nemhods
changed the title
|
Pinging @elastic/security-threat-hunting-cases (Team:Threat Hunting:Cases) |
|
Thank you @nemhods for your feedback! This is something we definetly want to provide as a feature. It is in our backlog. cc @paulewing |
cnasikas
added
Feature:Cases
|
Pinging @elastic/response-ops-cases (Feature:Cases) |
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
Hi @nemhods! Do you have any idea what is the average number of alerts you want to attach to a case with one action? |
|
Hey @cnasikas, sure! I would say a typical amount is about 4-5. This would be something like:
... because these detection models overlap in parts. Then there are cases with the builtin rule "Threat Intel Indicator Match", where a Host contacts an indicator IP 50+ times (e.g. when the IP servers a website and multiple connections are made without keepalive). So I would say, it would need to support 5 alerts casually and 50 in extreme cases? |
|
Thank you so much for the feedback @nemhods! It is very valuable for us and we will take it into consideration. |
|
Implemented by #128875 |
Describe the feature: Allow users to bulk-add alerts to a case.
-> Allow this
-> in this bulk menu:
The Case UI would probably have to be adjusted to account for possibly hundreds of alerts being added to the case comment stream, maybe by stacking the added alerts in an "accordion" UI:
Describe a specific use case for the feature: A security detection might trigger many times for a single issue. E.g. a firewall throws 50 alerts because the user's browser visited a malicious website 50 times due to a badly programmed JavaScript. Or, next to the firewall alert, there are also multiple Endpoint alerts that belong to the same case. It would be great to be able to add them all at once to a case, and benefit from the auto-updating of alert status when the case status is updated.
Currently, it is extremely tedious to add >10 alerts to a case. This happens quite often in our environment, and is the major usability hurdle why we don't use the SIEM app for case management yet.
Another situation where this would be useful: When we investigate a Host that has suspicious behaviour, usually all alerts of that host within the current day belong to the same case. With the proposed change, one could simply filter for the hostname, mark all alerts, and attach them all to a case.
The text was updated successfully, but these errors were encountered: