Hi,
is possible to differentiate alert detections between SIEM and XDR on the console?
@wsouza Thanks for the feedback . but this is based on the rule right? is it possible to pull alerts for a month for example the one only XDR detected?
When creating a detection rule, you can add an exception to the endpoint. You find this option in Advanced Settings when creating a detection rule. Does it help you with anything?
Hi @wsouza Thanks i thought maybe i can separate xdr alerts and siem alerts not on the rules but on the alerts.
I think it's possible with the right query / filter on the right tags.
Hi @willemdh oh okay any idea?
If you are looking at Security > Alerts, you can filter with event.dataset:"endpoint.alerts". This will show you all the alerts coming from the Endpoint Security rule.
If you want to have a broader scope to include all detection alerts that use the logs coming from the Defend integration, you can filter on the alert page with event.dataset:endpoint.*. This would include datasets like endpoint.events.file, endpoint.events.network, endpoint.events.process, etc.
Hopefullly this helps!
Hi @guessWho Thanks