[Feature] Related Alerts Module - Sort by "StartTime" desc #477
Comments
|
@NobleWolf this is currently sorted by AlertSeverity (High, Medium, Low, Informational) and the table output to the top 20 alerts (based on that sort) due to comment length limitations. If we sort just by time, we may end up sorting a bunch of Informational alerts to the top and hide more serious ones in the event of > 20 related alerts. What do you think of a sort by Severity, than time?. In the case of you're screenshot they are all mediums so it would effectively be a date sort... but if it's mixed severity, the highs will still rise to the top, even if they are not the most recent |
|
Could we do some HTML5 tag table trickery to allow sorting in the output? |
|
@piaudonn do you think that is feasible? Most times we've tried any advanced html it hasn't really worked out consistently between the two interfaces (Azure Portal / XDR) |
briandelmsft
added
enhancement
@piaudonn oh that'd be great if it works! @briandelmsft okay, that sorting makes good sense, but what if there was some additional sub sorting within the Severity levels so that the most recent of each AlertSeverity appeared first. Could it be done with a case statement like this? Or maybe after you get the top 20 by severity then just order the remaining by TimeGenerated newest? I think either would be good, but having some sort of time based sorting is good for our brains. I might suggest also noting the sorting pattern somewhere for SOC analyst's consumption.
|
Is your feature request related to a problem? Please describe.
The Related Alerts module posts a list of related alerts, but it doesn't seem to sort the table before posting it. Here is a screenshot example:
Describe the solution you'd like
The table should be sorted by date/time for simpler anlayst consumption.
Describe alternatives you've considered
Rewriting my own enrichment.
Additional context
None
The text was updated successfully, but these errors were encountered: