Versions Compared

Old Version 27

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version 28

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel1
maxLevel2
outlinefalse
typeflat
separatorbrackets
printablefalse

...

Working in multiple sessions: time range and filters are reflected in the URL, making it possible to easily replicate them in another session by copy-pasting the URL.

...

Setting time ranges

...

When setting time ranges, it is important to consider different aspects related to the type of time range specified and the method chosen to do it. You can set absoluterelative, or snap-to dates:

...

Expand
titleExamples of time expressions

Let's suppose the current time (which we refer to as "now()") is Sunday, 05 February 2017, 13:37:05. The table below shows the resulting time when different expressions are applied. Note that this isn't an exhaustive list:

Time expression

Description

Resulting time

now() - 60m

60 minutes ago

Sunday, 05 February 2017, 12:37:05

now() @ 1h

Now (rounded to the beginning of the hour)

Sunday, 05 February 2017, 13:00:00

now() - 24h

24 hours ago

Saturday, 04 February 2017, 13:37:05

(now() - 1d) @ 1d

Yesterday (rounded to the beginning of the day)

Saturday, 04 February 2017, 00:00:00

(now() - 2d) @ 1d

2 days ago (rounded to the beginning of the day)

Friday, 03 February 2017, 00:00:00

(now() - 2d) @ 1m

2 days ago (rounded to the beginning of the minute)

Friday, 03 February 2017, 13:37:00

((now() - 2d) @ 1d) - 2h

2 days ago (rounded to the beginning of the day minus 2 hours)

Thursday, 02 February 2017, 22:00:00

now() @ 1w

Locale week

Sunday, 05 February 2017, 00:00:00

now() @ 1W

ISO week

Monday, 30 January 2017, 00:00:00

now() ^ 6d

Replace the day with 6

Monday, 06 February 2017, 13:37:05

now() ^ 2018y3M6d15h30m20s

Replaces the year with 2018
Replaces the month with 3
Replaces the day with 6
Replaces the hour with 15
Replaces the minutes with 30
Replaces the seconds with 20

Tuesday, 06 March 2018, 15:30:20

now() >> 2M

Forward to next second month

Monday, 05 February 2018, 13:37:05

now() << 2M

Backward to previous second month

Friday, 05 February 2016, 13:37:05

now() >> 2M6d15h20m10s

Forward to next second month, sixth day, fifteenth hour, twentieth minute and 10 seconds

Tuesday, 06 February 2018, 15:20:10

now() << 1h/1d

Goes back to the first hour of the current day. Minutes and seconds don't change.

Sunday, 05 February 2017, 01:37:05

...

Applying filters

...

You can use a variety of options to filter triggered alerts and all of them will be applied to the whole Alerts Overview both the Chart representation area at the top and the Triggered alerts area at the bottom:

...

  • Add filter condition: click this button to open a menu where you can specify what, where, and how to look for.

    • Key: the field of the Extradata where you want to search for matches. Simply write the name of the desired field (in the example above, a valid field could be count).

    • Operator: how the specified value will be considered when searching for matches. Simply click the dropdown and select one of the options.

      • Contains (->>) → case insensitive: the chosen key will be examined to verify the presence of the specified value, retrieving the alert when it is. For example, using "count contains 1” would successfully retrieve the alert in the example above because 1 is present within 12.

      • Not contains (not(->>)) → case insensitive: the chosen key will be examined to verify the presence of the specified value, retrieving the alert when it isn’t. For example, using "count not contains 1” would not retrieve the alert in the example above because 1 is present within 12.

      • Equals (=) → case sensitive: the chosen key will be examined to verify if it coincides with the specified value, retrieving the alert when it does. For example, using "count equals 1” would not retrieve the alert in the example above because 1 is different from 12.

      • Not equals (!=) → case sensitive: the chosen key will be examined to verify if it coincides with the specified value, retrieving the alert when it doesn’t. For example, using "count not equals 1” would retrieve the alert in the example above because 1 is different from 12.

    • Value: the value you want to use to search for matches. Simply write the desired value.

  • AND vs OR: when you specify several filter conditions, this dropdown is enabled, allowing you to decide how to combine them.

    • AND: choosing this option will combine the conditions, retrieving alerts only when both of the conditions are met. For example, using “count equals 12” AND “alertMitreTactics contains Initial“ would not retrieve the alert in the example above because only the count condition is met.

    • OR: choosing this option will consider the conditions individually, retrieving alerts when any of the conditions are met. For example, using “count equals 12” OR “alertMitreTactics contains Initial“ would retrieve the alert in the example above because the count condition is met.

...

Filter by domain (only in Multitenant structures)

In multitenant structures, there is an additional column in the triggered alerts page to indicate the domain an alert belongs to. To help you work with this capability, there’s a specific filter to find alerts based on the domain they belong to.

Info

Only for admins

This capability is designed for admin users, and thus only them are able see it.

You can find this filter inside the Advanced filters menu. Click the Domain dropdown and select the domains you want to see alerts for. This dropdown shows all domains inside the current structure.

It works as any other filter, so it follows the same rules:

  • Several options can be selected (OR basis – finds alerts in either of the selected domains).

  • It can be combined with the other filters (AND basis – finds alerts matching all filtering criteria).

  • It is posible to write inside the field to search for a specific domain name (helpful with big structures).

  • To remove an item, simply click the X next to each of them. To remove them all, click the X located on the right side of the field.

  • There’s an option to select all of them at the top of the dropdown.

...

Working with presets (predefined sets of filters)

You can save the applied filters and time ranges as presets for later use. Activating a preset replicates the filters and time range to quickly show the related alerts without going through the filtering process again. This is especially useful when you need to work with similar datasets on a regular basis.

Info

User specific

This feature works on a per-user basis, which means that the presets you define are only visible to you.

Creating a preset

After applying the desired filters and time range, click the floppy disk button at the top right. Give it a name and description, and mark the default checkbox if you want it to be automatically applied when accessing the triggered alerts area. Click Apply when you finish.

...

Using a preset

To use an existing preset, simply click on the preset dropdown at the top right and select one. If there are no triggered alerts with the selected preset, you can use the refresh button on the right to reset the page to its original state without any filter applied.

...

Managing presets

  • Edit name and description: click on the preset dropdown and then on the pencil button of the present in question. Click Apply when you finish.

  • Set as default: click on the preset dropdown and then on the bookmark icon of the preset in question. The default preset will be automatically applied when accessing the area.
    Only one can be set as default, so setting a different one as default will unmark the previous one.
    Using the option on the default preset will unmark it, rendering the area without a default preset.

  • Delete: click on the preset dropdown and then on the trashcan button of the present in question.

  • Update preset conditions: with a preset already active, change the filters or time range, click the floppy disk button at the top right and select Save changes to current preset. You can also create a different one with the Save as new preset option.

...

Searching by ID

Every triggered alert is assigned a unique ID at the time it’s generated, which can be used to find it. Simply click the Search alert by ID button above the new alerts counter, at the top right of the screen.

...