Good day
I am currently in the process of creating alerts for the events received.
Within the Triggered Alerts, I can identify all the alerts that are activated, but I have a problem - the alerts only show the name, severity ... but I do not identify fields like the host or IP.
Through a search I can find the log that uses the Triggered Alerts, but I cannot find the way to extract the IP of the actual event.
index=_audit action=alert_fired ss_app=* | eval ttl=expiration-now() | search ttl>0 | convert ctime(trigger_time) | table trigger_time ss_name severity | rename trigger_time as Fecha, ss_name as Alerta, severity as Severidad
How could I do this?
... View more