I have alert logs coming in from an AV tool and when a tech is working on an alert assigned it to themselves, it generates a new log file, same when it is closed.
This is the basic search I have for all the events:
index="AV"
|rename assignedTo.username as Owner
| rename alertTypeDetails.detail.agenthostname as agenthostname
|rename alertTypeDetails.source as source
| eval "Source"=coalesce(source,agenthostnamee," N/A ")
| rename alertTypeDetails.detail.virus as virus
| rename alertTypeDetails.detail.category as category
| eval "Malware"=coalesce(iocnames, virus, category, " N/A ")
| eval Owner=if(isnull(Owner)," ",Owner)
| eval Time=strftime(_time, " %m/%d/%Y %H:%M:%S")
| stats values(risk) as Severity values(message) as Message values(Malware) as Malware values(Owner) as Owner values(state) as Status values(customer_id) as Helix values(Time) as Time count by Source
| sort -Status
I want to exclude the hosts that have additional events where the values of Owner is not " " and the Status is not Open, so I can just see the new events that haven't been assigned or closed yet.
... View more