This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Difference in Alerts count

Posted 3 weeks ago
Shubham_Manjhi
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi All,

I Came up with a weird issue where i checked for data for past 1 hour and found the Alerts are mismatching across different windows.
Like in SIEM Search can see only 13, under ALERTS AND IOCs - 300+ and when did retro-hunt its also different.
Does anyone have idea why it might happen?

0 2 189
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
Eoved
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi,
Alert discrepancies in SecOps can stem from time range mismatches, RBAC restrictions, filter settings, data ingestion delays, search logic, differing rule logic, or variations in retro-hunt data.

I suggest using the direct way to view alerts in SecOps:
Go to Detection > Alerts and IOCs โ€” this page lists all current alerts.
*Make sure the selected time range matches your expectations, and remove any active filters to see all alerts.

Eoved_0-1748154974029.png

 

0 Likes

Posted on --/--/---- --:-- AM
Rene_Figueroa
Staff
Reply posted on --/--/---- --:-- AM

Doing retrohunts is likely to change the alerts count as well since new data (raw logs/UDM events) might be available for the rule to create detections. it is also possible, that the data changed due to enrichment and hence more detections are created. A new rule version may also create additional alerts.

0 Likes
Top Solution Authors
View all