Alerting

how can I do to create one search when I can see the severity of the alert?

New Member

Hello.

Can you help me?

how can I do to create one search when I can see the severity of the alert?

for example:

Alert severity count
Brute Force High 45
PortScan low 42
Create User info 2
Delete User medium 15

Thanks
alt text
alt text

Tags (2)
0 Karma

Contributor

Hi Samir,

You can use the REST API to get this result. For example:

| rest /services/alerts/fired_alerts/-
 |stats sum(triggered_alerts) AS count BY savedsearch_name, severity
 |eval severity = case(severity==1, "Info",
                       severity==2, "Low",
                       severity==3, "Medium",
                       severity==4, "High",
                       severity==5, "Critical")
 |rename savedsearch_name AS Alert
 |table Alert severity count

Hope this helps.

New Member

Tranks for help,

My finish search.

| rest https://localhost:8089/servicesNS/your-user/-/alerts/fired_alerts/- |stats sum(triggered_alerts) AS count BY savedsearch_name, severity
|eval severity = case(severity==1, "Info",
severity==2, "Low",
severity==3, "Medium",
severity==4, "High",
severity==5, "Critical")
|rename savedsearch_name AS Alert
|table Alert severity count
|sort - count

0 Karma