Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Extract alert ID from alert audit logs in the SIEM #183134

Open
mbudge opened this issue May 10, 2024 · 2 comments
Open

Extract alert ID from alert audit logs in the SIEM #183134

mbudge opened this issue May 10, 2024 · 2 comments
Labels
Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)

Comments

@mbudge
Copy link

mbudge commented May 10, 2024

With event.actions like alert_find and alert_get can you extract the alert ID from the message. This is so we can search the alert audit logs easier.

The message is

User has accessed alert [id=f1a816356d90b92a5315d00ca414b4cc33caa52f3a251edb6a99e5e54d99830a]
@botelastic botelastic bot added the needs-team Issues missing a team label label May 10, 2024
@mbudge
Copy link
Author

mbudge commented May 10, 2024

This will make it easier to show how many alerts were displayed to the security analysts on each day.

@lukasolson lukasolson added Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams) and removed needs-team Issues missing a team label labels May 14, 2024
@elasticmachine
Copy link
Contributor

Pinging @elastic/response-ops (Team:ResponseOps)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Team:ResponseOps Label for the ResponseOps team (formerly the Cases and Alerting teams)
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@lukasolson @mbudge @elasticmachine