Cases escalation via elastalert #10258
Replies: 1 comment 1 reply
-
|
It may be possible to cobble something together using the HTTP POST alerter to generate a new record in the so-cases index, but it's not something that we've tested nor do we recommend it - a misconfigured or mistuned rule could easily generate hundreds or thousands of cases that you would need to clean up. The intended workflow is that an alert is escalated into Cases only after an analyst has looked at it and determined that it is not a false positive and it merits further investigation. |
Beta Was this translation helpful? Give feedback.
-
|
Thank you, where can i find the correct HTTP request in order to open a new case, there is some API? |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi, it's possibile to make a custom output for elastalert rules in order to automaticly open a new case when the rules triggers. Thanks
Beta Was this translation helpful? Give feedback.
All reactions