1. Logpoint Service Desk
  2. Community
  3. SIEM - Searching & Analytics

Show Alert Detail within the search

Avatar
Follow
0

Hello Guys,

Is there a possibility to show the “Alert Details” within a search, so we can execute filtering and combining with other searches to get a special reporting on this infomation?

Alert Details

Share This Post:

4 comments

Date Votes
0
Avatar
Nils Krumrey

Logpoint logs some of this information as an audit event into the _logpoint, default or _LogPointAlerts repository (which one depends on your configuration) when an incident is raised, and only that information can be searched on (for example the MITRE metadata, incident name and incident criteria). The rest is pretty much part of the actual alert definition and not the incident itself, and you would have to use the Search API to get more detailed information about the alert rule definition itself.

0
Avatar
Sascha Scholz

Thanks for replying.

Iam not looking for the information about alert which have triggered, I would like to get the information of defined and active alert rules within the logpoint configuration (Settings - Knowledge Base...) For Example to get all the available alertrule_ids.

Unfortunately I could not find information related to the search API and the definitions of the alert rules (for example) https://docs.logpoint.com/docs/logpoint-api-reference/en/latest/Search%20API/getalloweddata.html
Is there any further documentation which Iam not aware of?

Is the API only reachable via “external” or also over the search bar? (Like an internal search onto the API)

Thanks in advance.

0
Avatar
Nils Krumrey

Sorry, I meant the Incident API, not Search API - https://docs.logpoint.com/docs/logpoint-api-reference/en/latest/Incident%20API/Getting%20the%20incidents.html

That would allow you to retrieve information such as the repo selection, which user the incident was assigned to etc. It is “outside” of the GUI/search bar, so would have to be run from another system. That is still all about incidents that have actually triggered vs. the definition of the alert rules. You can find a list of all the alert rule definitions in the Alert Rule plugins manual at https://docs.logpoint.com/docs/alert-rules/en/latest/index.html . But I don’t think it’s the easiest to consume for your purpose.

I do remember seeing a Support ticket recently where Pravesh had created a tool the Support team could run to dump information about the currently defined or active alert rules from the LogPoint configuration database into a CSV.

That might be the best approach here for what I think you need. If you raise a Support ticket asking for this and mention that Pravesh Gaire recently did something like this for a different customer they can hopefully point you in the right direction.

0
Avatar
Sascha Scholz

Hi Nils,

I will go through the information you gave me und open a support ticket as well.

If I got further questions, I will update the topic.

Thank you very much!

BR,

Sascha

Please sign in to leave a comment.