Creating a custom SOC monitoring dashboard using triggered alerts


index=_audit action=alert_fired ss_app="Threats_App"
| eval ttl=expiration-now()
| search ttl>0
| convert ctime(trigger_time)
| sort - trigger_time
| table trigger_time ss_name severity
| rename trigger_time as "Alert Time" ss_name as "Alert Name" severity as "Severity"

I created a dashboard, panel with above query in it. It is looking for triggered alerts from my app. I want to display the results(stats) of the triggered alerts in a different panel below that in the same dashboard. 

so its like " here are the alerts fired and when u click the alert name, it shows the stats(results) of that alert. Implementing this , I can see multiple alerts and the results of those alerts in the same dashboard" 

I do not want to install additional apps, so please help me with this query only. Please do not suggest apps for a simple solution. Thanks 



Labels (1)
0 Karma



I have this panel which keeps updating with new alerts(query posted in my earlier post). When I click on the alert, it should show me events on the same dashboard. 


0 Karma


Hi @aferns0804 ,

I understand 50% of your question, but I did not get what you are referring the result(stats) of the alert means?

To implement the concept, you can use the drildown option for the respective panel to populate the token value and create a another panel which will use this token as input in the query.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.