AnsweredAssumed Answered

reporting engine from IMDB and event data access?

Question asked by Vladimir Previn on Jul 11, 2018
Latest reply on Jul 11, 2018 by Eric Partington

hello,

 

wondering if for SA RE IMDB queries - is there any way to access event data in IMDB queries via RE? [when querying the alert collection]

e.g. alert.name,alert.events[0].threat_desc

or is it only the IM enriched groupby_
properties e.g.

alert.groupby_destination_country

 

 

{
"success": true,
"data": {
"destination_country": ["Australia"],
"groupby_type": "Log",
"user_summary": [""],
"groupby_domain": "blablalbalblabla",
"source": "Event Stream Analysis",
"type": ["Log"],
"groupby_source_country": "Romania",
"groupby_destination_country": "Australia",
"groupby_threat_source": "",
"signature_id": "xxxxx",
"groupby_filename": "",
"groupby_data_hash": "",
"groupby_event_desc": "",
"groupby_destination_ip": "alalalalala",
"groupby_threat_desc": "we have a custom group by group ignore this",
"groupby_source_ip": "snip",
"groupby_source_username": "",
"groupby_detector_ip": "xx.xx.xx.xx",
"events": [{

....."threat_desc":.......

Outcomes