Hello.
We currently have this rule set for “Track Notable Events”. We did run the assessment report but only gives a count as to how many time it would have triggered. How can I use the rule logic and run it in log search as I tried copying it and running it but it’s now working.
I agree, this is a big gap from the Rapid7 side. To me, an assessment report should be able to be downloaded to a csv to show each log event.
What we have done is turned them to “creates alerts”, and then only promoting them to investigation if we find something that shouldn’t be there. When it is set to create alerts, that is where you can pull a CSV report to find out what it would be creating investigations for.
Also, I think you can put in a support ticket and they will divulge the information that is included in the subquery so that you can look it up yourself, as currently you can’t use a subquery in log search, which is also disappointing.
1 Like
That’s a good idea on how to handle alerts for this rule. I’ve done something similar for the RMM rule. Thank you for your input.