Thanks a lot for your response.
Can you clarify what you mean by controlling the number of deduplications?
Just some background information. When we first integrated Demisto and ExtraHop together, we noticed several deduplication events in Demisto’s warroom for detection such a s, ‘Weekly Summary: Weak Cipher Suites’ which used up resources from Dbot. From ExtraHop UI, as the detection is ongoing, we noticed the counts under ‘Investigate Sources’ and ‘Investigate Clients’ increases which we reckon will fire the ‘DETECTION_UPDATE’. Hence, I would like to check if there’s any way for us to control the threshold of the deduplication (DETECTION_UPDATE)? Possibly by trigger? Would like to ensure moving forward if there’re large amount of deduplication for potentially new detection that was identified by the cloud services/rule-based, we are able to at least ‘control’ it. Or maybe fire an email to notify of large amount deduplication if possible.
The supported Demisto trigger exposes a subset of detection fields for filtering. If you’re willing to make your own trigger, you can copy the current one and then use any of the properties of
Detection to decide whether or not to send the detection to Demisto. For example, you can use
Detection.participants to inspect the devices and IP addresses associated with the detection.
What would be the recommended way to do it? Should we input the filters for specific detection title in the demisto trigger? Or should we create another trigger to filter and do a nested trigger (if possible)? Or is there any UI that allow us to input specific filter for some detection and hide the alert? Or to run certain filtering triggers to hide a specific detection title using priorities level (e.g. putting filtering triggers as the top priority to reduce noise before any processing)?
My coworker @swagatdasgupta would love to discuss this use-case in more detail. Can you share some detection types where you’re interested in having additional fields to send to Demisto, and what those fields are?
As we have potentially new detection coming in on a regular basis with Demisto integration in sight, we are trying to identify if there is any other fields we could potentially send to Demisto on the fly. Are we limited to the ‘Detection’ section on in the Trigger API Reference? What are the other corresponding fields in Demisto does the bundle support as there are several other information from the Reveal(x) and Demisto integration reference. (Please find attached image for corresponding fields).