Add user and timestamp information for alert status changes #141464
Comments
rashmivkulkarni
added
the
Team:ResponseOps
|
Pinging @elastic/response-ops (Team:ResponseOps) |
|
@shanisagiv1, @paulewing, it seems to be a valid request. Let us know when/who should do it. |
|
Hello all, Do you have any update on this feature? On my side the use-case is for SOC Operation and analyst work monitoring. As we are working with on third-party SOAR our analysts are not creating Cases directly in Elastic but they start to investigate in Elastic. So they are changing the status from "Open" to "Acknowledge", then at the alert is going to the SOAR and finally when alert has been investigated on the SOAR there is an automation to change the status to "Closed" on Elastic. Currently as we don't have the information about which user change the status and start the investagation we are not able to monitor analyst actions. Thanks ! |
Describe the feature:
Add information about who changed the alert status and when this has been done.
Describe a specific use case for the feature:
To get a better overview, when working with multiple security analysts. Customer are requesting more information about alert status changes. Using/Creating a case is not always the best option. For a better experience when working with multiple people in the same cluster/deployment this kind of information would be very helpful. You can see who is already working on the acknowledged alert and who marked it as closed.
The text was updated successfully, but these errors were encountered: