You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Add information about who changed the alert status and when this has been done.
Describe a specific use case for the feature:
To get a better overview, when working with multiple security analysts. Customer are requesting more information about alert status changes. Using/Creating a case is not always the best option. For a better experience when working with multiple people in the same cluster/deployment this kind of information would be very helpful. You can see who is already working on the acknowledged alert and who marked it as closed.
The text was updated successfully, but these errors were encountered:
On my side the use-case is for SOC Operation and analyst work monitoring. As we are working with on third-party SOAR our analysts are not creating Cases directly in Elastic but they start to investigate in Elastic. So they are changing the status from "Open" to "Acknowledge", then at the alert is going to the SOAR and finally when alert has been investigated on the SOAR there is an automation to change the status to "Closed" on Elastic.
Currently as we don't have the information about which user change the status and start the investagation we are not able to monitor analyst actions.
Describe the feature:
Add information about who changed the alert status and when this has been done.
Describe a specific use case for the feature:
To get a better overview, when working with multiple security analysts. Customer are requesting more information about alert status changes. Using/Creating a case is not always the best option. For a better experience when working with multiple people in the same cluster/deployment this kind of information would be very helpful. You can see who is already working on the acknowledged alert and who marked it as closed.
The text was updated successfully, but these errors were encountered: