Alerts and Saved Searches Best Practices

The documentation outlines best practices for LogScale Query Language alerts and saved searches, emphasizing the importance of efficient queries to maintain optimal system performance. It specifically covers alert labels functionality, which allows users to tag and easily search for alerts, as demonstrated by the corelight/threathuntingguide package's implementation of ATT&CK tactics and techniques labeling.

Make sure to follow the general best practices for the LogScale Query Language described here Statement order for better queries. This will minimize system load and ensure optimal performance of the service. Careless or inefficient queries can cause performance issues.

Alert Labels

Alerts can have labels attached to them which are displayed next to the Alert name in the list of Alerts and are searchable. This can be a useful way to tag the alert with meaningful data and to help when trying to locate Alerts with a certain tag.

For example the corelight/threathuntingguide package uses Labels to show the ATT&CK tactics and techniques that each Alert covers.

Package Marketplace

Package Reference

Dashboard Reference

Package Management

Other Integrations

Log Formats

Alerts and Saved Searches Best Practices

Alert Labels

Other articles on this topic

Similar Content

Related Release Notes

Related API Calls

Security Audit Entries

Training

Enter search term