@gcusello , Hi, You're on different track my requirement is if single user triggers an alert say alert_name other than pdm in between 2 hours more than 3 times . How could we achieve it using eval . Thanks 👍 ... View more

@ITWhisperer , Pls could you make the search in between 2 hours more than 3 times if user triggers alert other than pdm Thanks  ... View more

@tscroggins  Hi, My usecase is of in between 2 hours if users triggers an alert other than pdm more than 3 times ! ... View more

@ITWhisperer , Hi, In this search you didn't mention any time interval like the period of two hours  When the user triggers the non pdm alerts in between 2 hours of  time  ... View more

@ITWhisperer , Other fields as well like dlprule,filetype,incidentime ... View more

@ITWhisperer  Why still it is not listing out the stats fields mentioned ? What could be the reason ... View more

@ITWhisperer  Could you pls check why this query is  not listing all the stats  fields in the output index=es sourcetype=alert (alert_name!="*PDM*") | stats earliest(_time) as incident_time, values(severity) as severity, values(action) as action, values(file_type) as file_type, values(exposure) as exposure, values(url) as url, values(device) as device by user,alert_name | eval alert_type=case(like(alert_name,"%pdm%"), "pdm", 1==1, "notpdm") | chart count by user alert_type | where notpdm > 1 ... View more

@ITWhisperer  Second use case is like alert_ name other than pdm, dnt mention encrypted,we are not interested in encrypted alert_name in second search.  Alert_ name!= "*pdm*" Here we are using *pdm* coz to find the similar word pdm in alert_name  Pls remove encrypted from query it is different alert type , Only need alert_name !="*pdm*"   Thanks ... View more

@ITWhisperer  Hi, Could you please make search seperate as per the use case instead of all in one search 1.Use case alert_name= "*pdm*" AND alert_name="*encrypted*" Both alerts in between 2 hours. 2. Use case alertname!="*pdm*" Between 2 hours of period. Thanks ... View more

Hi , @richgalloway  My ask is if the user triggers both the alerts i.e pdm and encrypted with in a span of 2 hours. Other one is if the user triggers non pdm alerts with in a span of 2 hours is my requirement Please edit the above search as per the usecase. Thanks  ... View more

@richgalloway  what I'm trying to do is like usecase1:  alert_name!="*pdm*"          by user base search -------------- | eval non_pdm_alert=if(alert_name!="*pdm*", 1, 0) | sort _time | streamstats count(non_pdm_alert) AS non_pdm_count by user time_window=2h | where non_pdm_count>2 It is not giving desired output. usecase 2: (alert_name="*PDM*" AND alert_name="*encrypted*") base search | eval both_alerts_triggered=if(alert_name="*pdm*" AND alert_name="*encrypted*", 1, 0) | sort _time | streamstats count(eval(both_alerts_triggered=1)) AS triggered_count by user time_window=2h | where triggered_count>=2     ... View more

@richgalloway  My aim is creating a correlation search.. ... View more

@richgalloway  Please have a look on usecase snapshot once.  ... View more

@richgalloway  Hi, Use case :1 If the user triggers pdm and encrypt alerts both in a period of 2 hours it should raise an alert.   Use case:2 If the user triggers other than pdm in between  2 hours  for single user more than 3 times it should raise an alert . Thanks     ... View more

@gcusello could you brief about  PDM abbrevation and concept ... View more

@gcusello  Please find the sample event key points highlighted with red colour  ... View more

Pls use above sample event for this use case when  User triggers diferent PDM alerts in a short period of time (EX Block on Gmail and block on external apps)... ... View more

.. ... View more