yes... ... View more

Yes, but nothing relevant ... View more

Yes, Microsoft generates incident IDs that are unique and collision-free for each incident. I'm going to try to disable it ... View more

Oh, I have put a lot of information about it like the example I gave. I have put the search query, an example of an event, the alert configuration, etc. They are events ingested by the Microsoft security API, coming from the Defender, and the queries are basic, if the title of the events is x, it is triggered. It is already desperation, because if you run the search normally, it detects the event it should but the alert has not been generated. So the only option I can think of is the indexing time, but I understand that if the search runs every 5 minutes and searches the entire previous hour, there should be no problem and there still is. These alerts are very important to me, and they must appear no matter what. In the example I mentioned at the beginning: TimeIndexed = 2024-04-04 01:01:59 _time=04/04/2024 00:56:08.600 ... View more

I am not going to experience this problem because I apply a throttle per event ID, and in some cases a dedup of the ID in the query itself, and I have set the alert to look 30 min back and run every ten but I still lose some events that do appear if I run the search. ... View more

How can I do this? Note that the forwarder is an Edge Processor and you can't touch the conf files, everything is modified in the GUI. ... View more

Could you explain to me what you mean by overlapping times? ... View more

Here the raw:   ... View more

I will try to search in the last 60 min by doing a throttle of the incidentId ... View more

and what can be the problem when the difference is 4-5 min between the indexing time and the _time, and the alert runs every 15 min and looks at the last 15 min. ... View more

and what could be a solution? ... View more

Ok, thank you.   In one of the cases that I didn't get my alert triggered,  TimeIndexed = 2024-04-04 01:01:59 _time=04/04/2024 00:56:08.600 ... View more

where can i see the index time? ... View more

Yes, no error. ... View more

Yes: index=conf detectionSource=MCAS NOT title IN("Potential ransomware activity*", "Multiple delete VM activities*", "Mass delete*","Data exfiltration to an app that is not sanctioned*", "Cloud Discovery anomaly detection*", "Investigation priority score increase*", "Risky hosting apps*", "DXC*") status=new NOT ((title="Impossible travel activity" AND description="*Mexico*" AND description="*United States*")) | dedup incidentId | rename entities{}.* AS * devices{}.* AS * evidence{}.* AS * | stats values(title) as AlertName, values(deviceDnsName) as Host, values(user) as "Account", values(description) as "Description", values(fileName) as file, values(ipAddress) as "Source IP", values(category) as "Mitre" by incidentId | rename incidentId AS ID_Defender | tojson auto(AlertName), auto(Host), auto("Account"), auto("Description"), auto(file), auto("Source IP"), auto("Mitre") output_field=events | eval events=replace(events, "\\[\"", "\""), events=replace(events, "\"\\]", "\"") | rex field=events mode=sed "s/:\\[([0-9])\\]/:\\1/g" | eval native_alert_id = "SPL" . strftime(now(), "%Y%m%d%H%M%S") . "" . tostring(random()) | tojson auto(native_alert_id) output_field=security | eval security=replace(security, "\\[\"", "\""), security=replace(security, "\"\\]", "\"") | rename security AS "security-alert" | tojson json(security-alert), auto(events) output_field=security-alert | eval _time=now() ... View more

last one worked! ... View more

Any help? ... View more

do i need to config rsyslog? ... View more

ok, but also nothing in SCP ... View more

I see that index in Heavy Forwarder is empty ... View more