We have the following search that sends a report once a day.
| inputlookup append=T malware_tracker | stats min(firstTime) as firstTime,dc(dest) by signature | eval _time=firstTime | `daysago(1)` | sort 100 - firstTime | `uitime(firstTime)` | table firstTime,signature,dc(dest)
We had this set up as an alert in the past, but due to the nature of alert, it generated continuous emails. I am thinking I need to customize the alert based on the signature and I am not sure how to go about doing this. Thank you.
... View more