This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

SIEM Alerts icon

Posted on 12-23-2023 11:35 PM
AThebrand
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi community. 

Yesterday I noticed something weird working on Chronicle SIEM. We received an alert coming from a custom rule of ours; Clicking on the user that triggered this rule, should show up the timeline with all events related to that user as you can see below. 

AThebrand_0-1703403018947.png

In the legend, there is that little red triangle that should represent alerts coming from the specific entity that we're analyzing, there is nothing related to the alert I was talking about before though. I wonder why... am I misinterpreting the legend? 

Thank you and merry xmas! 

1 1 342
Topic Labels
1 REPLY 1

Posted on --/--/---- --:-- AM
jstoner
Staff
Reply posted on --/--/---- --:-- AM

I want to be careful I don't get too far over my skis here, but I believe that Alert flag was a vestige of some of the alerts that resulted from indicator matching and less on the YARA-L rules that you create. As I review my system, none of my YARA-L rules show as alerts in that view. We have some work going on the with the views that will hopefully start coming out next year that will refine some of these things and align terminology a bit better to make things a bit clearer.

0 Likes
Top Solution Authors
View all