[FR] Hooks for alerts #586
Labels
enhancement
New feature or request
Comments
|
Edit: looks like these hooks exist in post_init.py but they're just not documented. I'll give it a go and report back if successful, in which case, it's just a documentation issue. |
|
Hi! These hooks are indeed present and documented already: https://docs.dfir-iris.org/latest/development/hooks/#available-hooks Best |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I appreciate the alerts object is a relatively new feature and it offers the ability for SOC teams to use IRIS too and escalate to CSIRT. However, some additional functionality would be nice such as including hooks for alerts so that automated actions and manual set-pieces can be performed from the alerts object where it is not necessary for it to be escalated into a case. For example, if alerts are fed in via the API from a SIEM, an analyst could flag "rule needs tuning" via a manual hook associated with the alert which could be configured to raise that to detection engineers.
Alternatives include escalating to a case but where such use cases for hooks mean that a case is not needed, such as the one given above, it creates unnecessary data duplication across different objects and teams. I have noted that there is a bit of entanglement between alerts and cases already, for example, case classification is fully customisable through the GUI, but there is no such option for alerts, but alerts seem to use the case classification fields nevertheless. Perhaps this could be looked at as part of a wider task of separating alerts from cases which would allow further customisation (e.g. providing the ability to customise alert resolution statuses).
The text was updated successfully, but these errors were encountered: