Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[FEATURE] - Include user id/username that acknowledges an alert. #1410

Open
givilleneuve opened this issue Oct 30, 2024 · 1 comment
Open

[FEATURE] - Include user id/username that acknowledges an alert. #1410

givilleneuve opened this issue Oct 30, 2024 · 1 comment
Labels
enhancement New feature or request

Comments

@givilleneuve
Copy link

Is your feature request related to a problem?
Yes, in any large SOC team, traceability and audit of who is acknowledging an alert is always required. Unfortunately, I have not been able to identify anywhere this information is being recorded in the OS cluster.
I have looked into the security-audit-log as well as the .opensearch-sap-logtype-alerts and alert history. I have the timestamp of when it was ack but not by who.

What solution would you like?
The solution should index a new field in the log entry for the alert adding also the user.name.ack.
image

What alternatives have you considered?
I tried to find in the security log index to correlate, but no success.
@givilleneuve givilleneuve added enhancement New feature or request untriaged labels Oct 30, 2024
@krisfreedain
Copy link
Member

[Catch All Triage - 1, 2, 3, 4, 5]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@krisfreedain @givilleneuve