Issue
Investigate whether alerts are coming into Red Canary or find Alerts in Red Canary by the Alert's native identifier.
- Entering the external alert ID in the "Alert ID" box appears to only work for Red Canary alert IDs (not external alert IDs).
- Entering external alert ID in the "Raw Data Contains" box is the only thing that seems to work. However, this frequently returns many alerts - sometimes the one we're looking for, sometimes not. It's extremely tedious to manually review the results to confirm whether or not the alert is actually in the search results.
Resolution
Use the Raw data contains search box to search using the Alert's native identifier.
To find an example of the Alert's native identifier in Red Canary:
1. Go to the Alerts page
2. Find an example alert, and click into it
3. Click the original alert dropdown to expand the alert JSON
4. Find the alert's native identifier within the JSON - it may look something like this:
Use the syntax provided in the native alert JSON for the native identifier to conduct your search. Be sure to switch out for the alert ID you're looking for.
Use the standard search fields to narrow your search:
1. Select the Provider Source from the dropdown
2. Enter your search term in the Raw Data contains field
- Make sure to remove the leading quote (") from the search term as quotes are automatically added around the term. Leaving the leading quote may negatively affect your search.
- For instance, when searching for "alertId": 12345
, it's entered in the field as alertId": 12345
3. Hit Enter to add the search term to your search criteria
4. Click Search to execute the search.
Alternatively, use the Advanced Search.
When using Advanced search, the syntax is a bit different. Use the syntax with raw:
followed by the exact text from the native alert JSON. For example:
Comments
0 comments
Please sign in to leave a comment.