Add quick action to find related alerts for a detection

2025-12-06 09:12:45 +01:00 · 2024-05-09 17:55:41 -04:00
parent 19e1aaa1a6
commit fecd674fdb
2 changed files with 7 additions and 0 deletions
--- a/salt/soc/defaults.yaml
+++ b/salt/soc/defaults.yaml
@@ -78,6 +78,12 @@ soc:
        target: ''
        links:
          - '/#/hunt?q=(process.entity_id:"{:process.entity_id}" OR process.entity_id:"{:process.Ext.ancestry|processAncestors}") | groupby event.dataset | groupby -sankey event.dataset event.action | groupby event.action | groupby process.parent.name | groupby -sankey process.parent.name process.name | groupby process.name | groupby process.command_line | groupby host.name user.name | groupby source.ip source.port destination.ip destination.port | groupby dns.question.name | groupby dns.answers.data | groupby file.path | groupby registry.path | groupby dll.path'
+      - name: actionRelatedAlerts
+        description: actionRelatedAlertsHelp
+        icon: fa-bell
+        links:
+          - '/#/alerts?q=rule.uuid: {:so_detection.publicId|escape} | groupby rule.name event.module* event.severity_label'
+        target: ''
    eventFields:
      default:
        - soc_timestamp
--- a/salt/soc/merged.map.jinja
+++ b/salt/soc/merged.map.jinja
@@ -79,6 +79,7 @@
 {%   do SOCMERGED.config.server.client.update({'job': {'actions': standard_actions}}) %}
 {%   do SOCMERGED.config.server.client.alerts.update({'actions': standard_actions}) %}
 {%   do SOCMERGED.config.server.client.cases.update({'actions': standard_actions}) %}
+{%   do SOCMERGED.config.server.client.detections.update({'actions': standard_actions}) %}

 {# replace the _x_ with . for soc ui to config conversion #}
 {% do SOCMERGED.config.eventFields.update({':endpoint:events.api': SOCMERGED.config.eventFields.pop(':endpoint:events_x_api') }) %}