Im trying to substract  the total number i have of alerts that send and email  from the total amount of alerts that are bookmarked in SSE.  The only examples I found on the community used either the same index, or sub-searches (neither worked in my scenario) My query for  the alerts is : | rest /services/saved/searches | search alert_type!="always" AND action.email.to="production@email.com" AND title!="*test*" | stats count(action.email.to) AS "Count" My query for bookmarks is:  | sseanalytics 'bookmark' | where bookmark_status="successfullyImplemented" | stats count(bookmark_status_display) AS "Bookmark Status" by bookmark_status_display ... View more

  When using Pplunks  security essentials :  MITRE ATT&CK Framework  we are lacking a significant amount of alerts.  we used to have around 1500 in active and 300 ish on needs data; however, overnight drop to the 200 mark total (between active and needs data) .  The following troubleshooting steps have been taken  1. updated content with the "force update under system configuration". 2. verify communication to the urls (yes it can connect) 3. uninstall and reinstall current SSE version, this cleared the data mapping upon installed it showed  enabled 0-active-0- missing data 1715: after the weekend it dropped to 0-8-195      4. After i rebuilt the data inventory  it looked as such:   Here are some SS of the security content:   1. shows content  2. drop down shows 12 mitre attack platforms but the dropdown is all 0;s   3.  Some times the data sources would show a filter of none. with 1300+  items, like the item below 134,  and sometimes it just doesnt appear.      4. MITRE map missing from the  configuration tags            ... View more