[SIEM][Action] Open case rule action #62190
Labels
enhancement
New value added to drive a business result
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
This is a compilation of ideas for what a rule action for cases could be used for.
When creating a Case rule action, you should be able to fill in:
MVP from my point of view:
The creator of the case (dropdown of users with access to cases maybe? Or ask them to fill in a username and run a check when saving the rule that it exists and can access the necessary API?)
The title (With support for adding context from the event itself, either from dropdown or writing the ctx values manually)
A Description (With support for adding context from the event itself, either from dropdown or writing the ctx values manually)
Now after the MVP, there is plenty of ideas that comes up:
Re-using the Markdown editor already used in the CaseUI for writing the Description would be nice.
Being able to suppress (or even cooler, update the existing case as a comment if the same host triggers the same rule again)
Being able to choose which fields you want to aggregate on when creating the rule and action.
Just a basic example, if I choose Source.IP and Destination.IP, 10 hits and X minutes aggregation, that means that two things would happen:
When creating aggregation rules, you should also be able to choose which field needs to be unique, a (bad) example would be multiple hosts attacking a single destination, at that point the aggregation would be "unique(source.ip)" but same destination.ip.
The text was updated successfully, but these errors were encountered: