Hello everyone,
I would like to ask is it possible to search for alerts and their details using the udm search ? If yes, what search query is suitable for this purpose.
Thank you in advance !
+13- Bronze 5
Hi @Zorghost,
The following post is likely of interest - https://www.googlecloudcommunity.com/gc/SIEM-Forum/UDM-Search-to-find-triggered-alerts/m-p/727126
Kind Regards,
Ayman C
+6- Bronze 5
Hi @Zorghost,
The following post is likely of interest - https://www.googlecloudcommunity.com/gc/SIEM-Forum/UDM-Search-to-find-triggered-alerts/m-p/727126
Kind Regards,
Ayman C
This is unfortunately not what I am looking for. I just saw that there was a new feature where I can directly query the alerts using udm search :
I would like to try to replicate that and create a query to use with the chronicle integration to execute udm query to retrieve the alerts. I saw in some of the blogs that the alerts would have an ALERT tag on them similar to this :
+22Currently, you can search for alerts via the UI in a few different ways.
The most direct way is via the Alerts subtab in the Alerts & IOC section under detection. From there you have a set of filters on the right side to choose from. However, the data available may not be all the fields you want to search on.
Alternatively, you can execute a search under Investigations, sometimes referred to as a SIEM search and you can use all of the fields in UDM to search. When you search completes, you will see 3 subtabs, the overview which provides summary info on the entity, if applicable, as well as the search result summary, the middle subtab will contain the events (with any events that are part of an alert with a flag next to them), and a final subtab for alerts.
This subtab will only return alerts based on the criteria in the UDM search.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.