Versions Compared

Old Version 19

changes.mady.by.user Borja Moro Moreno

Saved on

compared with

New Version Current

changes.mady.by.user Borja Moro Moreno

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Info

Auto-investigate in DeepTrace

DeepTrace does not allow grouping tables. When you click on Auto-investigate in DeepTrace the auto-investigation queryopens your query without grouping. Here you can also modify the query that is going to be investigated by DeepTrace.  

rawMessage field required

The rawMessage field must be included in the Auto-Investigation query definition (select rawMessage), even if it's not in the alert definition query. Otherwise, DeepTrace will not trigger an investigation even though the alert itself was triggered.

Data search

You can select suspicious events and send them to DeepTrace for investigation by clicking on the Engine tool button → New → Investigate in DeepTrace. You can also drag the DeepTraceicon from the tools to the main bar. 

You can select one or more events from the table to send them to DeepTrace, or right click on the event to send it.

...

The DeepTrace icon remains in the toolbar if you log out or change domain, otherwise, it is removed.
Note
Info

Why can't I see that option?

This option is only available when there is no grouping and at least one event is selected in the table.

Checking investigation status

Once the alert definition is created you can see the status of the alert by clicking on the Alerts or DeepTrace tabs in the navigation pane:.

DeepTrace tab

...

Click DeepTrace in the navigation pane. A new browser window opens showing you the DeepTrace user interface.

...

Alerts tab

...

Click Alerts in the navigation pane. Check theTrace statuscolumn to see the status of your alert. You can also click on the DeepTrace icon that appears in the Action column to open DeepTrace.

...

There are four possible values for the alert auto-investigation status:

...