Hello.
We currently have this rule set for “Track Notable Events”. We did run the assessment report but only gives a count as to how many time it would have triggered. How can I use the rule logic and run it in log search as I tried copying it and running it but it’s now working.
I agree, this is a big gap from the Rapid7 side. To me, an assessment report should be able to be downloaded to a csv to show each log event.
What we have done is turned them to “creates alerts”, and then only promoting them to investigation if we find something that shouldn’t be there. When it is set to create alerts, that is where you can pull a CSV report to find out what it would be creating investigations for.
Also, I think you can put in a support ticket and they will divulge the information that is included in the subquery so that you can look it up yourself, as currently you can’t use a subquery in log search, which is also disappointing.
1 Like
That’s a good idea on how to handle alerts for this rule. I’ve done something similar for the RMM rule. Thank you for your input.
I am curious how you are doing this?
Is it a manual effort to add them to an investigation, or you are automating this process?
If you have a list of approved tools you could leverage InsightConnect to trigger for new alerts of this title, it could then check against the list to see if it is approved or not. If not approved it could add to an investigation for your review.
It’s manual. We don’t see many of these alerts so its not a big deal to look at it for a second, nor do we have InsightConnect. Everything we use we build into the exception.
1 Like
Same here. We just create exceptions for none approved RMM tools.
1 Like