Hello fam, got a question for ya'll:
Suppose I have an alert that contains an entry like
device=xyz
Suppose I am able to query historical data and determine information like:
device=abc, seen 50 times
device=lmk, seen 25 times
I'd like to basically answer this question: "is the alerted on device within the typically seen historical devices?"
In this case, the answer would be
no
.
I know I can write a custom action to do this, but I'm trying to stay within the Siemplify cage for supportability.
Also, this is eventually intended to be sent out with a Cisco DUO MFA Integration, Connector and Usecase that'll be shared
Suppose my question would be: How can I do this? Let's say the API query will return all the devices seen, but won't count how many occurrences. So I'll need something to count occurrences, account for a threshold, compare to the alerted device and spit out True/False
Hey
, can you share an example of the returned query results?
I assume its going to be JSON format, but whatever it is it will help
Initial thoughts - you will need Jinja
Need to think a little bit more though
Sure! Here's the example from the example json. I intend to perform this workflow on a few different fields. For immediate example, use
user_auth_logs.authlogs.access_device.ip
I decided to handle the bulk of this by editing the Action's logic to return the information i'm after along with the logs.
Thanks Yair, I appreciate any input. I was considering writing a custom action to handle it but forgot to consider Jinja..hmmmm!
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.