+5Hello,
This might be a very simple request (forgive me) - but how do you SIEM search for a single user to see every alert that user has triggered in the past 7-days. I know you can see the results in the “alerts” tab next to the SIEM results. But I don’t know what the UDM search would be specifically for alerts.
I’d like to include this UDM search into a playbook which checks how many alerts have returned, and based on the number makes a conditional jump.
Thanks,
+11you can use this api endpoint to filter by udm for the alerts
+6You’ll want to distinguish between raw events and alerts/detections in Chronicle, because they are not the same thing in UDM.
If your goal is to find all alerts triggered for a specific user, you should search for detections, then filter on the user field that is populated in your environment.
A starting point would be something like:
metadata.event_type = "DETECTION"
principal.user.userid = "username"
or, if your tenant maps the user differently:
metadata.event_type = "DETECTION"
principal.user.email = " [removed by moderator] "
If needed, you may also want to check whether the user appears under target.user.* rather than principal.user.*, depending on the rule and parser mapping.
For a 7-day window, apply the time filter in the search UI, or add the appropriate time constraint if you are building this into your workflow.
If the purpose is to use this in a playbook and branch depending on how many alerts were returned, you can run the detection search first and then use the result count for the conditional step.
Try search for DETECTION records, then filter by the user attribute that is actually populated in your environment.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.
