Solved

Show Alert Detail within the search


Hello Guys,

Is there a possibility to show the “Alert Details” within a search, so we can execute filtering and combining with other searches to get a special reporting on this infomation?

Alert Details

 

icon

Best answer by Nils Krumey 5 July 2022, 13:53

View original

4 replies

Userlevel 4
Badge +7

Logpoint logs some of this information as an audit event into the _logpoint, default or _LogPointAlerts repository (which one depends on your configuration) when an incident is raised, and only that information can be searched on (for example the MITRE metadata, incident name and incident criteria). The rest is pretty much part of the actual alert definition and not the incident itself, and you would have to use the Search API to get more detailed information about the alert rule definition itself.

Thanks for replying.

Iam not looking for the information about alert which have triggered, I would like to get the information of defined and active alert rules within the logpoint configuration (Settings - Knowledge Base...) For Example to get all the available alertrule_ids.

Unfortunately I could not find information related to the search API and the definitions of the alert rules (for example) https://docs.logpoint.com/docs/logpoint-api-reference/en/latest/Search%20API/getalloweddata.html
Is there any further documentation which Iam not aware of?

Is the API only reachable via “external” or also over the search bar? (Like an internal search onto the API)

Thanks in advance.

Userlevel 4
Badge +7

Sorry, I meant the Incident API, not Search API - https://docs.logpoint.com/docs/logpoint-api-reference/en/latest/Incident%20API/Getting%20the%20incidents.html

That would allow you to retrieve information such as the repo selection, which user the incident was assigned to etc. It is “outside” of the GUI/search bar, so would have to be run from another system. That is still all about incidents that have actually triggered vs. the definition of the alert rules. You can find a list of all the alert rule definitions in the Alert Rule plugins manual at https://docs.logpoint.com/docs/alert-rules/en/latest/index.html. But I don’t think it’s the easiest to consume for your purpose.

I do remember seeing a Support ticket recently where Pravesh had created a tool the Support team could run to dump information about the currently defined or active alert rules from the LogPoint configuration database into a CSV.

That might be the best approach here for what I think you need. If you raise a Support ticket asking for this and mention that Pravesh Gaire recently did something like this for a different customer they can hopefully point you in the right direction.

Hi Nils,

I will go through the information you gave me und open a support ticket as well.

If I got further questions, I will update the topic.

 

Thank you very much!

 

BR,

Sascha

Reply