cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Alerts doubling when consuming logs by custom connector built by me

andersongodoy
Copper Contributor

‎Jul 28 2022 09:19 AM - edited ‎Jul 28 2022 10:47 AM

‎Jul 28 2022 09:19 AM - edited ‎Jul 28 2022 10:47 AM

Alerts doubling when consuming logs by custom connector built by me

Hello everyone, I created a connector to integrate my edr API to the Sentinel to generate alerts when consuming the logs, however when it redoes the search , is duplicating the event even I distinct and the filter to group alerts with the same ID. Is there any way to filter events before generating alerts? Example: Generated XPTO ID alert, after 5 minutes if the XPTO ID exists, do not bring the information, only bring a new alert after the next scan of 5 min , if ID is different from XPTO .

 

MYEDRTOOL_CL
| where Status_s == "TODO" or Status_s has "REOPEN"
| project-away LastUpdateTime_t, TimeGenerated
| project-rename
Usuarios_Afetados = AffectedUsers_s,
Hosts_Afetados = AffectedMachine_s,
Attack_Type = EDRAttackTypes_values_s
| distinct *
| extend Status = iff(Status_s == "TODO", "UnderInvestigation", iff(Status_s == "REOPEN", "Reopened", "."))
| extend Hosts = todynamic (Hosts_Afetados)
| project-reorder
CreationTime_t,
GUID_s,
Status,
Attack_Type,
Hosts,
Usuarios_Afetados,
DecisionFailure_s,
Suspects_s,
InvolvedHash_s,
Link_s
| mv-expand Hosts

 

 

 

 

Labels:
311 Views
0 Likes
0 Replies
Reply
0 Replies