Hello,
I would like to find the offense number where my CRE Events (that my fired rule response generates) are member of.
As there is no "offense number tag" in the event properties, I can test if I find my CRE Event in any opened offenses (by filtering on startime)
And it works.
When I POST this search to /ariel/searches :
SELECT starttime,logsourceid,LOGSOURCENAME(logsourceid),qid,QIDNAME(qid),QIDDESCRIPTION(qid) FROM events WHERE InOffense(27) LAST 5 HOURS
I obtain following result :
{
"events": [
{
"starttime": 1585067137697,
"logsourceid": 163,
"logsourcename_logsourceid": "MainCampusFW",
"qid": 2000001,
"qidname_qid": "Traffic Accept",
"qiddescription_qid": "A packet has been accepted by FW"
},
{
"starttime": 1585067138058,
"logsourceid": 63,
"logsourcename_logsourceid": "Custom Rule Engine-8 :: xxxxx0ap",
"qid": 67500131,
"qidname_qid": "Compromised Server previously Infected participate to Botnet",
"qiddescription_qid": "A outgoing connexion happens from previously infected server to C&C (UC #43)"
}
]
}
By deduction, if I have a result with my event startime, it means that I have tested the right offense number.
But this output show only 2 results, whereas in this offense I have multiple times this two types of events :
Why it shows only the first event of each type ? How can I obtain the other events ?
Thank you so much,
------------------------------
Clément
------------------------------