In the web UI, it would be nice to have a button available that allows the user to manually send the detection to a configurable Output or choose from a list of outputs (maybe you can somehow mark one as a favorite). If the detection panel is being used for triage, a common workflow might be that once a detection is determined to be an incident or need further investigation, create a ticket in a ticketing platform (via outbound webhook) - this additional webUI feature could improve that workflow opportunity
1 Like
Hi Michael, thanks for sharing.
If you wanted to make all detections produced by this D&R rule in an output, you could have added an output action in the rule that produced it.
(note to LC - we can add “go to Rule” link to help jump from Detection to rule)
But looks like you’re looking to have an analyst decide on a very specific detection instance, and add it to a ticketing system, correct?
Correct - just from a workflow perspective - not all rules will generate detections that are actionable (some will be FP, some will be normal activity). It would be nice to allow an analyst to individually send detections to an output (which would be to a ticketing system)
ok, understood, thanks for clarification. Can’t make immediate promises but we explore some ideas on how to achieve it.