Hi,
I need a help in enhancing the below search if users triggers one or more of these policies:
Index=dlp sourcetype=dlpalerts
policy=" All Apps " OR policy=" Gmail" OR policy=" GDrive"
AND ```one or more of these policies```
policy="All Policies" AND activity=upload
``` exclude all instances present in the lookup table instance.csv from this search ```
OR
policy="All Apps - Password Protected Files - Alert"
```exclude all instances present in instance.csv from this search ```
OR
alert_type=ews and alert_name=" uploads"
``` exclude all instance_id present in instance.csv from this search ```
|Stats earliest (_time) as incident_time,values(activity)as activity,values(instance_id)as instance_id ,values(alert_type) as alert_type,values(alert_name)as alert_name
By user,policy
Thanks
Have you tried something like this?
index=dlp sourcetype=dlpalerts
(policy=" All Apps " OR policy=" Gmail" OR policy=" GDrive")
((policy="All Policies" AND activity=upload) OR
(policy="All Apps - Password Protected Files - Alert") OR
(alert_type=ews alert_name=" uploads"))
NOT [ | inputlookup instance.csv | fields instance_id ]
|Stats earliest (_time) as incident_time,values(activity)as activity,values(instance_id)as instance_id ,values(alert_type) as alert_type,values(alert_name)as alert_name
@richgalloway
Hi Can you help me in writing the above search in drilldownsearch format in Adaptive Response Actions
+ Add New Response Action
Notable
while creating correlation search in ES ?
Adaptive Response Actions use the same SPL as other search queries.