Investigate whether alerts are coming into Red Canary or find Alerts in Red Canary by the Alert's native identifier.
Use the Raw data contains search box to search using the Alert's native identifier.
To find an example of the Alert's native identifier in Red Canary:
1. Go to the Alerts page
2. Find an example alert, and click into it
3. Click the original alert dropdown to expand the alert JSON
4. Find the alert's native identifier within the JSON - it may look something like this:
Use the syntax provided in the native alert JSON for the native identifier to conduct your search. Be sure to switch out for the alert ID you're looking for.
Use the standard search fields to narrow your search:
1. Select the Provider Source from the dropdown
2. Enter your search term in the Raw Data contains field
- Make sure to remove the leading quote (") from the search term as quotes are automatically added around the term. Leaving the leading quote may negatively affect your search.
- For instance, when searching for
"alertId": 12345, it's entered in the field as
3. Hit Enter to add the search term to your search criteria
4. Click Search to execute the search.
Alternatively, use the Advanced Search.
When using Advanced search, the syntax is a bit different. Use the syntax with
raw: followed by the exact text from the native alert JSON. For example: