I run this search: index=_audit action=fired_alert
I get back this which looks like properties of the alert.
Audit:[timestamp=11-08-2017 06:52:57.231, id=35143213, user=admin, action=alert_fired, ss_user="nobody", ss_app="search", ss_name="RDP by GenericID Prod", sid="rt_scheduler_adminsearch_RMD5cf6dac5adc7385e1_at_1510141830_38328.0", alert_actions="email,notable,resilient", severity=3, trigger_time=1510141971, expiration=1510228377, digest_mode=0, triggered_alerts=1][OhxQLHMR0bgxLAaqfsIRoIsoknIp5H1APZ24P4Hm/9FDp8O0VT46WEsP+yLAPbuHYNBkjd8X2/Lu4tVXmqLy+d738KZDjCqFTCu9WcwwILDA97uAfDes/bqw0KamiumItENPlXSQkZIGLfuULHuVoBWOdWrIDF5MMp2y19XsXps=]
The search for the alert looks like this:
index="wineventlog" EventCode=4648 Logon_ID=0x3e7 Process_Name="C:\Windows\System32\winlogon.exe" [ | inputlookup serts-prod.csv | rename genid as user_identity | table user_identity] | eval discovered_date=ceil(_time) * 1000| fields host, user, Account_Domain, discovered_date
How do I get values in the field statement? it should be my username, my workstation and my logon domain.
Thanks!
You have the SID of the search that triggered the alert -rt_scheduler_adminsearch_RMD5cf6dac5adc7385e1_at_1510141830_38328.0
Then use one of the endpoints (/services/search/jobs, /services/search/jobs/{search_id}/results) to get the search results using the SID.
I did this, but not sure this is the best approach.
"search index=_audit action=alert_fired earliest=startingDate latest=endingDate | map search=" |loadjob sid"
I use a starting and ending date so I am only searching on a time frame when the alert happened and not the entire time frame.
I am using the C# SDK, but is what you listed above a more efficient method?
Thanks!