From cb2f92b44582d9d4542c927b74bf7e7d495abdeb Mon Sep 17 00:00:00 2001 From: research-bot Date: Tue, 29 Oct 2024 11:23:42 -0700 Subject: [PATCH] udpating drilldowns --- .../detect_critical_alerts_from_security_tools.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/endpoint/detect_critical_alerts_from_security_tools.yml b/detections/endpoint/detect_critical_alerts_from_security_tools.yml index f05b092884..d0d4eb1e62 100644 --- a/detections/endpoint/detect_critical_alerts_from_security_tools.yml +++ b/detections/endpoint/detect_critical_alerts_from_security_tools.yml @@ -21,12 +21,12 @@ references: - https://docs.splunk.com/Documentation/CIM/5.3.2/User/Alerts - https://learn.microsoft.com/en-us/defender-endpoint/api/raw-data-export-event-hub drilldown_searches: -- name: View the detection results for - "$dest$" - search: '%original_detection_search% | search dest = "$dest$"' +- name: View the detection results for - "$dest$" and "$user$" + search: '%original_detection_search% | search dest = "$dest$" user = "$user$"' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ -- name: View risk events for the last 7 days for - "$dest$" - search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' +- name: View risk events for the last 7 days for - "$dest$" and "$user$" + search: '| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$dest$", "$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset: $info_min_time$ latest_offset: $info_max_time$ tags: