[FR] Global Tag Inheritance for Detection Rule Custom Tags #5493
Description
Repository Feature
None
Problem Description
Background
For reporting purposes, many organizations have requirements to provide metrics on different ruleset perspectives and one way to support generating those insights is using detection rule metadata. An easy injection point into enhancing rule metadata with customer-specific considerations is using the tags feature (particularly via bulk tag assignment). Tags are able to be added individually and in bulk for existing rules, and manually typed out at rule creation.
Desired Solution
Request
It would be useful to be able to define "global" alert tags in an array that would get auto-inherited into the rule at creation time.
From a user interaction perspective, I think it would fit as an optional rules setting to configure via the Security > Rules dashboard. Functionally, it would support an array of entries. Once created, it would be appended into the prebuilt tags list for existing rules and inherited into the list when creating a new rule.
Considered Alternatives
As described above, the entries can be manually typed out but if you have more than a couple of these entries it becomes a process flow speedbump slowing down progress in sprint rule deployments.
It could be automated via customer DevOps resources, but that imposes an extra internal cost and availability demand may not support the metadata enhancement to be executed quickly within Detection Engineering effort timelines. That cost gets compounded as organizational scale introduces higher segmented RBAC controls.
Additional Context
No response