How to view Logs Actual Raw Logs inside Correlation Alert from Historical report or throgh Query
I have generated previous two week report for correlation rule NIC004 (Intensive Configuration Change for Network Device). I got this rule triggered multiple times over previous 2 weeks. Now I need to analyze what are those devices where this changes happened and what are those actual Logs.
I am able to get this information for current alerts which are still in Alert History. But those stored in IPDB does not give the actual device logs who has caused this Rule (NIC004) to trigger
Which is the report which you ran ? You can change the Alert History look back days from "Set up Alert History" and retrieve the alerts for last 2 weeks in Alert History window and have a look at the raw message which participated in alert.
Moreover all alert information displayed in Alert History are retrieved from IPDB irrespective of whether it is current or from the past.
An easy way would be to do an output action and you can send yourself the alert and the CSV of all of the events that caused the alert to be generated?
If you use EE, you can also do Task Triage and it will have the CSV file as well.