ITSI Episodes Data Inconsistent

krunoslav · ‎09-01-2020

Hello,

When fetching the episodes from ITSI via REST (https://hostname:8089/servicesNS/fsspl06/itsi/event_management_interface/notable_event_group?filter={"status":"1","severity":{"$gte":"3"}}) a list of several episodes with status "New" is obtained. However, in the ITSI GUI, in the Episode Review tab, a search for all new episodes over all time returns no results. How is this possible? Any clues on how to debug this? Thanks

eduncan · ‎09-02-2020

If you are sure that even in the itsi_summary index that the groupid's for the ones retrieved via rest are NOT there, then I'd open a support case.

eduncan · ‎09-01-2020

Need more info on your filter. What is set for Status Filter and Severity Filter?

krunoslav · ‎09-01-2020

In ITSI GUI the Status is set to New and the severity is not set

eduncan · ‎09-01-2020

Also if you search the. index=itsi_grouped_alerts do you see the groupID of the same episodes you got from the REST API?

krunoslav · ‎09-01-2020

No, the episodes returned via REST are not found in the index.

ITSI Episodes Data Inconsistent

troubleshooting

using ITSI

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...