Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

[Request] Risk Score calculation for "closed" alerts #6254

Closed
abhishekbhatia1710 opened this issue Nov 27, 2024 · 0 comments · Fixed by #6271
Closed

[Request] Risk Score calculation for "closed" alerts #6254

abhishekbhatia1710 opened this issue Nov 27, 2024 · 0 comments · Fixed by #6271
Assignees
@natasha-moore-elastic
Labels
Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security Effort: Small Issues that can be resolved quickly Feature: Entity Analytics Features or enhancements for any of the Entity pages Priority: Medium Issues that have relevance, but aren't urgent Team: Entity Analytics v8.18.0

Comments

@abhishekbhatia1710
Copy link

abhishekbhatia1710 commented Nov 27, 2024
edited
Loading

Description

We are introducing a new feature that allows users to include "closed" alerts in risk score calculations. This enhancement improves the user experience by providing a more comprehensive view of the system.

Users can toggle a button to include closed alerts in the risk score calculation and specify a date/time range for the calculation. Additionally, they can preview the data before finalising and saving these changes for the next engine run.

Image

Background & resources

  • PRs:

Test environments:

Kibana: https://kibana-pr-201909-security-f6e262.kb.eu-west-1.aws.qa.elastic.cloud/#
Elasticsearch: https://kibana-pr-201909-security-f6e262.es.eu-west-1.aws.qa.elastic.cloud/

Credentials:
vault read -address=https://secrets.elastic.co:8200 secret/kibana-issues/dev/cloud-deploy/kibana-pr-201909-security

Kibana image: docker.elastic.co/kibana-ci/kibana-serverless:pr-201909-d0f22970266f

Which documentation set does this change impact?

ESS and serverless

ESS release

8.18

Serverless release

Next release

Feature differences

The feature is identical in ESS and serverless

API docs impact

New API endpoint : api/risk_score/engine/saved_object/configure
User can send a PUT request to this endpoint to use the feature to include closed alerts for risk score calculation
User can send below information with the request :

exclude_alert_statuses : ["open", "closed"]
range : {"start" : "now-40m", "end" : "now"}
exclude_alert_tags : ["False positive"]

For example :

curl --location --request PUT 'http://localhost:5601/api/risk_score/engine/saved_object/configure' \
--header 'kbn-xsrf: hello' \
--header 'elastic-api-version: 2023-10-31' \
--header 'x-elastic-internal-origin: test' \
--header 'Content-Type: application/json' \
--header 'Authorization: <REDACTED>' \
--data '{
    "exclude_alert_statuses" : ["open", "closed"],
    "range": {
        "start" : "now-23m",
        "end" : "now"
    },
    "exclude_alert_tags" : ["False-positive"]
}'

Prerequisites, privileges, feature flags

No response
@natasha-moore-elastic natasha-moore-elastic self-assigned this Nov 27, 2024
@natasha-moore-elastic natasha-moore-elastic added Feature: Entity Analytics Features or enhancements for any of the Entity pages Docset: Serverless Issues for Serverless Security Docset: ESS Issues that apply to docs in the Stack release Team: Entity Analytics Priority: Medium Issues that have relevance, but aren't urgent Effort: Small Issues that can be resolved quickly labels Nov 27, 2024
Merged
@mergify mergify bot mentioned this issue Dec 18, 2024
Merged
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@natasha-moore-elastic natasha-moore-elastic

Labels
Docset: ESS Issues that apply to docs in the Stack release Docset: Serverless Issues for Serverless Security Effort: Small Issues that can be resolved quickly Feature: Entity Analytics Features or enhancements for any of the Entity pages Priority: Medium Issues that have relevance, but aren't urgent Team: Entity Analytics v8.18.0
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Risk score calculation for closed alerts elastic/security-docs
2 participants
@abhishekbhatia1710 @natasha-moore-elastic