SIEM and XDR Alerts

Hi,

is possible to differentiate alert detections between SIEM and XDR on the console?

In Security > Rules > Detection Rules you will find all the rules related to the integration of Elastic Defend which takes EDR actions and, when used for protection in cloud or container services, assumes the role of XDR delivering scalable and extended protection for these services.

@wsouza Thanks for the feedback . but this is based on the rule right? is it possible to pull alerts for a month for example the one only XDR detected?

When creating a detection rule, you can add an exception to the endpoint. You find this option in Advanced Settings when creating a detection rule. Does it help you with anything?

image

Hi @wsouza Thanks i thought maybe i can separate xdr alerts and siem alerts not on the rules but on the alerts.

I think it's possible with the right query / filter on the right tags.

Hi @willemdh oh okay any idea?

If you are looking at Security > Alerts, you can filter with event.dataset:"endpoint.alerts". This will show you all the alerts coming from the Endpoint Security rule.

If you want to have a broader scope to include all detection alerts that use the logs coming from the Defend integration, you can filter on the alert page with event.dataset:endpoint.*. This would include datasets like endpoint.events.file, endpoint.events.network, endpoint.events.process, etc.

Hopefullly this helps!

1 Like

Hi @guessWho Thanks