Hi.
Are any Detection Rules that are set to “Track Notable Events” available in Log Search and not just in an Investigation?
Not sure I understand this question. If a detection is set to Track Notable Events, just take the LEQL query in the rule and search on it. That will show you all of the recent detections of that rule (but obviously none of them will turn into investigations, as you have it set to track notable events, not “Create Investigation”).
When I try to copy and paste the LEQL query in log search the format is not correct.
I just wish there was a way I can search for and view all “notable events” in log search.
The best way to review your notable events is to go into Users and Accounts → Risky users → and then review the users with the most notable events. But also copying and pasting the LEQL Query should work as well, as long as you remove the part at the top signifying which log set you are searching. You need to remove that part and select it manually on the left side dropdown menu.
Got it, that’s what I thought. Thank you.
This query has a sub query and doesn’t seem to work:
where(
SUBQUERY(“File Transfer Tools”)
)