Hi All,
in siem search, i want to filter out only events that are flagged as alerts from all events that is populated when queried. this result will be used in dashboards. how to find the difference between an event is an alert from UDM fields.
thanks
Hi,
If you're planning to use this for dashboards, you can use the following query in the SIEM Dashboards:
$rulename = detection.detection.rule_name
match:
$rulename
outcome:
$detection_count = count_distinct(detection.id)
order:
$detection_count desc
limit:
10
thanks for the input. i would like to know for a user filtered, how will i be able to get the list of alerts for that user alone?
and another question, when we siem search for a particular userid, we will be getting the entity summary and associated entities in the overview tab. is there a way to implement this entity summary and associated entities in the native dashboard?
I’ve asked the same question not too long ago and from what I was told there doesn’t seem to be a way to do this in the UDM search (which is a serious gap in my opinion). If you have a large number of alerts for a given rule (over 20,000) it’s actually really hard to work with that dataset.
The only approach that met my needs was to export the alerts via a manual API query, which is far from ideal.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.