I have 2 events with alias_host array meta as below. Event1: "alias.host":["google.com","outlook.com","bing.com"] Event2: "alias.host":["msn.com","google.com","microsoft.com"] Anyone have tip how to group by alias_host in ESA EPL rule? How to compare...
Hello team, I would like to collect the logs of the Box. Has someone already done it here? Thank you !
I'm trying to make our reporting engine send the generated reports via email, however it keeps getting stuck at Partial state after execution. When I checked the logs, it shows this error: Failed to execute Report Output Actioncom.rsa.soc.re.exceptio...
Hi, I have this rule configured, the objective is to find out multiple login attempts from the same source IP with different users within the time frame. @RSAAlert(oneInSeconds=0, identifiers={"ip_src"}) SELECT event_time,ip_src,country_src,user_dst,...
Where can I find documentation on the query syntax used within Investigate? I don't seem to be able to find what query syntax is available and no example on advanced use cases. When looking at the service uncoder.io and I convert a sigma document to ...
