Usage¶
ES¶
Once everything is installed and enabled, users will see new ES notables with a title of ITSI Alert - rule. The rule will be replaced with the ITSI Notable Event Aggregation Policy (NEAP) that created the episode. The correlation search will make every attempt to correlate the entity that came from ITSI with a valid asset in ES. The notable in ES includes helpful pieces of information from ITSI. Below maps the fields from ITSI to ES to help the teams collaborate and view the same alert
| ES Field | ITSI Field |
|---|---|
| Reason | itsi_group_title |
| Rule Identifier | itsi_policy_id |
| Source | entity_title |
| View | itsi_group_id (unique episode ID) |
| Severity | itsi_group_severity |
| Description | itsi_group_description |
ITSI¶
In ITSI users will see new notables with a title of ES Alert - rule. The rule will be replaced with the ES correlation search (rule) that created the notable. Once an organizations NEAPs are adjusted, these notables should become part of larger episodes to help raise visibility that a secuirty alert is affecting the same entity as the episode. Correlation is done on the asset from ES to the ITSI entity title. The notable in ITSI includes helpful pieces of information from ES. Below maps the fields from ES to ITSI to help the teams collaborate and view the same alert
| ITSI Field | ES Field |
|---|---|
| entity_title | risk_object,dest_asset,src_asset,dest,src |
| notable_description | rule_title |
| notable_id | rule_id (unique notable ID) |
| rule | source (correlation search) |
| urgency | urgency |
| Drilldown Link | Direct link to the notable in ES |