SIEM Signals Index: Unique "incident id" or "signal id" per signal fired instead of just _id for doc record. #75129
Labels
enhancement
New value added to drive a business result
Feature:Detection Rules
Security Solution rules and Detection Engine
Team:Detection Engine
Security Solution Detection Engine Area
Team:Detections and Resp
Security Detection Response Team
Team: SecuritySolution
Security Solutions Team working on SIEM, Endpoint, Timeline, Resolver, etc.
Team:SIEM
Comments
|
Pinging @elastic/siem (Team:SIEM) |
spong
added
the
Feature:Detection Rules
MindyRS
added
the
Team: SecuritySolution
|
Pinging @elastic/security-detections-response (Team:Detections and Resp) |
yctercero
added
Team:Detection Engine
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the feature:
The signals index has an _id field, that uniquely identifies the signal document, but we'd like to have a human readable, incrementing unsigned integer for signal.incident_id. e.g. Incident_id 1234567890, 1234567891, etc.
Describe a specific use case for the feature:
If one team member or user is investigating an incident, they should be able to quickly share the given "signal id", or incident id in more general terms, that uniquely identifies the individual signal that fired.
In the SIEM tab, an analyst should be able to search by pasting in an "incident_id", and it should retrieve the underlying signal document.
Just as well programmatic systems should be able to poll (incidents_ids > last_incident_id_seen) and retrieve the latest incidents.
Thanks,
The text was updated successfully, but these errors were encountered: