AnsweredAssumed Answered

Report rules based on alert root events

Question asked by Pavel Iusco on Jun 11, 2020
Latest reply on Jun 15, 2020 by Pavel Iusco

Hello,

 

Is there a way in which you can generate reports/dashlets based on the root event(s) that caused an alert?

Rules using Respond DB as a source will not help since they are lacking in granularity. I want to generate some rules that will take the username, ip.src and device.id of the alert generators, this is not hard if you have simple rules that generate the alerts but becomes really impractical when you have complex correlation rules (as an example, i would like to report on the user.dst and ip.src from the root events that fired the "Multiple failed logins followed by a successful login" rule).

 

Any suggestion is greatly appreciated,

 

Pavel

Outcomes