Hi
I am using the /detection_engine/signals/search endpoint to grab detections but this endpoint doesn't include External alerts (eg. Crowdstrike). Is there an endpoint or other method to programmatically collect external alerts?
Cheers!
Hi
I am using the /detection_engine/signals/search endpoint to grab detections but this endpoint doesn't include External alerts (eg. Crowdstrike). Is there an endpoint or other method to programmatically collect external alerts?
Cheers!
Hi @Derick_Jansen, thanks for the post!
External alerts are defined as log events that have the ECS field:value of event.kind:alert
These events have no SIEM/Security app detection rule metadata applied to them, so they are more like raw events.
Here are two possible options if you want to grab these external alert events:
event.module:crowdstrike AND event.kind:alert
, and then continue to use the API endpoint you're using now.Note, for option 2, when creating the detection rule, you can use the "rule name override" switch, so that an original alert name from Crowdstrike appears as the rule name in the signal document, like this:
Please let us know if this helps.
Also, I'd be interested to know what you're doing with the detection alerts once you pull them using the API?
Thanks!
Mike P.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.