Versions Compared

Old Version 26

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version 27

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
typeflat
separatorbrackets
printablefalse

...

Additionally, you need to have alerts assigned with at least View access (see Assign resources to a role).

About time ranges and filters

...

Expand
titleExamples of time expressions

Let's suppose the current time (which we refer to as "now()") is Sunday, 05 February 2017, 13:37:05. The table below shows the resulting time when different expressions are applied. Note that this isn't an exhaustive list:

Time expression

Description

Resulting time

now() - 60m

60 minutes ago

Sunday, 05 February 2017, 12:37:05

now() @ 1h

Now (rounded to the beginning of the hour)

Sunday, 05 February 2017, 13:00:00

now() - 24h

24 hours ago

Saturday, 04 February 2017, 13:37:05

(now() - 1d) @ 1d

Yesterday (rounded to the beginning of the day)

Saturday, 04 February 2017, 00:00:00

(now() - 2d) @ 1d

2 days ago (rounded to the beginning of the day)

Friday, 03 February 2017, 00:00:00

(now() - 2d) @ 1m

2 days ago (rounded to the beginning of the minute)

Friday, 03 February 2017, 13:37:00

((now() - 2d) @ 1d) - 2h

2 days ago (rounded to the beginning of the day minus 2 hours)

Thursday, 02 February 2017, 22:00:00

now() @ 1w

Locale week

Sunday, 05 February 2017, 00:00:00

now() @ 1W

ISO week

Monday, 30 January 2017, 00:00:00

now() ^ 6d

Replace the day with 6

Monday, 06 February 2017, 13:37:05

now() ^ 2018y3M6d15h30m20s

Replaces the year with 2018
Replaces the month with 3
Replaces the day with 6
Replaces the hour with 15
Replaces the minutes with 30
Replaces the seconds with 20

Tuesday, 06 March 2018, 15:30:20

now() >> 2M

Forward to next second month

Monday, 05 February 2018, 13:37:05

now() << 2M

Backward to previous second month

Friday, 05 February 2016, 13:37:05

now() >> 2M6d15h20m10s

Forward to next second month, sixth day, fifteenth hour, twentieth minute and 10 seconds

Tuesday, 06 February 2018, 15:20:10

now() << 1h/1d

Goes back to the first hour of the current day. Minutes and seconds don't change.

Sunday, 05 February 2017, 01:37:05

...

  1. Click Advanced filter at the top and a menu opens below.

  2. Select a value in the field you want to use as filtering criteria.

    • Most of the fields admit several options. This will find alerts that match one or the other.

    • Several fields can be used at the same time. This will find alerts that match all of them.

    • All fields admit typing to narrow down the available values for selection.

    • Fields such as Name or Subcategory provide an option to select all values.

    • To remove a value, simply click the X next to it. To remove all values within a field, click the X located on the right side of the field.

  3. Click Apply when you finish choosing the filtering criteria. All the filters applied appear below the button, and the alerts will be filtered accordingly.

    • To reset all filters, click Clear all.

    • To reset filters per field, click the X next to each of them.

    • To reset filters per value, you need to edit the filtering by reopening the menu, removing the desired values as explained above, and clicking Apply.

...

Filter by Extradata

Info

Only with decoded Extradata

The search is conducted on the decoded version of the Extradata, not the raw version. Keep this in mind when inputting the value(s) as this might alter the expected result.

You have two different options when using this filter, each of them designed for different contexts. The Simple option is best used for swift and extensive searches, whereas the Advanced provides more precision and control over the filtering criteria, allowing for more thorough searches.

Simple: this mode allows you to enter a value to verify if it’s present anywhere within any Extradata, retrieving alerts that contains such a value (case insensitive). It is a basic yet powerful filter, as it allows you to operate without a profound knowledge on the Extradata. However, it has the limitation that only one value can be used at a time. If you want to use several values, you can use the advanced mode.

...

Advanced: this mode allows you to enter several values (up to 10) and the keys where these values will be searched, as well as establish different operators for the value search or decide if they will be combined or considered individually.

...

Info

Only with first-level keys

The advanced mode of this filter is limited to first-level keys. This means that it will not work when using deeper keys contained in complex keys (those with additional depth levels).

  • In the Extradata below, the “alertType” key is complex and contains an additional level below with two more keys – “id” and “type”. Using the deeper-level keys will not retrieve this alert, even if the searched value is present.

  • This means that using the key-value pair “type-Detection” will not retrieve this alert as a successful match. For a successful retrieval, the key-value pair “alertType-Detection” should be used instead.

Code Block
{ "alertMitreTechniques": "Brute+Force",
  "alertType": { "id": "12", "type": "Detection"},
  "alertMitreTactics": "Credential+Access",
  "count": "12" }

  • Add filter condition: click this button to open a menu where you can specify what, where, and how to look for.

    • Key: the field of the Extradata where you want to search for matches. Simply write the name of the desired field (in the example above, a valid field could be count).

    • Operator: how the specified value will be considered when searching for matches. Simply click the dropdown and select one of the options.

      • Contains (->>) → case insensitive: the chosen key will be examined to verify the presence of the specified value, retrieving the alert when it is. For example, using "count contains 1” would successfully retrieve the alert in the example above because 1 is present within 12.

      • Not contains (not(->>)) → case insensitive: the chosen key will be examined to verify the presence of the specified value, retrieving the alert when it isn’t. For example, using "count not contains 1” would not retrieve the alert in the example above because 1 is present within 12.

      • Equals (=) → case sensitive: the chosen key will be examined to verify if it coincides with the specified value, retrieving the alert when it does. For example, using "count equals 1” would not retrieve the alert in the example above because 1 is different from 12.

      • Not equals (!=) → case sensitive: the chosen key will be examined to verify if it coincides with the specified value, retrieving the alert when it doesn’t. For example, using "count not equals 1” would retrieve the alert in the example above because 1 is different from 12.

    • Value: the value you want to use to search for matches. Simply write the desired value.

  • AND vs OR: when you specify several filter conditions, this dropdown is enabled, allowing you to decide how to combine them.

    • AND: choosing this option will combine the conditions, retrieving alerts only when both of the conditions are met. For example, using “count equals 12” AND “alertMitreTactics contains Initial“ would not retrieve the alert in the example above because only the count condition is met.

    • OR: choosing this option will consider the conditions individually, retrieving alerts when any of the conditions are met. For example, using “count equals 12” OR “alertMitreTactics contains Initial“ would retrieve the alert in the example above because the count condition is met.

Search triggered alerts by ID

...