I am investigating incidents but I need to tie them with the SOC analyst who worked on it and what comments were added by them. I am not able to find these details in any table.
This will be helpful to pull out the metrics for the SOC team.
Where can I find this information?
Understandably, these are difficult to expose right now. They are located in the AzureActivity table (with the Azure Activity Data Connector enabled).
We will be making this much easier very soon with a new table specific to Incidents.
In the interim, here's a KQL snippet that you can use to start sifting through the results for Incidents in the AzureActivity table:
AzureActivity
| where _ResourceId has "Microsoft.SecurityInsights" and _ResourceId has "incidents"
Related
Recently had to upgrade our GKE logging settings to Cloud Operations for GKE (per https://cloud.google.com/stackdriver/docs/solutions/gke/migration#what-is-changing). From the document, an interesting change in the logName field occurred, where it was previously based on the container name, but now is just "projects/{PROJECTID}/logs/stdout".
This normally would not be a problem but we rely heavily on Logging to BigQuery sinks to be able to analyze our log data. Since BigQuery log sinks use the logName for table it generates, every table we produce now is "stdout_*" instead of the container name. This is very confusing and makes it more difficult to use shared datasets and generally bad from a naming point of view. I have already filed a feature request with google to be able to customize the BQ sink table name, but that does not help our use case right now.
If we can change the logName then that would be able to change the BQ table name as well. I have seen google's documentation for their logging agent but have not found a way to edit this logName field.
Options I have considered:
cron job to copy the tables to a new table name (downside on maintenance and small increase in cost)
Disable default logging and use a custom logging solution (large time investment and not clear if that would still help here)
Biting the bullet and just using the stdout_* table name (very close to choosing this option)
Is there anyway to customize the logName from a k8s container?
I can't seem to use a good enough combination of words for Google. Everything I find, it's for the effected user, the person this ticket is for. I do not care about this... I am trying to find the agent/person who CREATES the ticket instead! I am trying to pull information of how many incidents and service request tickets my desk has created, and while I can track completed MA's by us, it eludes me on this.
I cannot find any documentation at all on how to do this... The closest I could find, the cmdlets they use are no longer included in SMLets.
Basically, I want to do this https://lazywinadmin.com/2016/03/powershellscsm-get-manual-activities_9.html#, but apply it to created incidents and SRs.
The closest I've found was a Get called Get-SCSMClassProperty, but I cannot find any documentation on how to use it. The closest I've found was a bug report where the code is cutoff.
Ultimately, I already have the backbone required to compare a result to a list of agents, I just don't know the actual property name or how to reference it.
A reference I've tried is: https://www.catapultsystems.com/blogs/scsm-powershell-get-work-item-information/
But what is suggested, Get-SCSMClassInstance, does not exist anymore. But if it did, it yields the below output, which is pretty close to what I am think I am trying to find here.
I'm building up a supervisor scorecard on Tableau, but stuck on filter the supervisor.
There're few criteria that needed to be integrated into the scorecard. Eg. The employees' lateness under each supervisor will be taken into account that supervisor's performance. Also, the supervisor's own lateness will also take into account his performance.
My expectation would be aggregating all the criteria in dashbaord, and filter supervisor's ID or Name to get his scorecard data.
Here is the sample of my data.
Now i've completed all the employee level data. I created multiple worksheet to evaluate the supervisor's performance based on their employees' performance, and filter by 'SupervisorID'
But i'm having a hard time to aggregate supervisor's own performance into it.
If i filter by SupervisorID, the Tableau will still give me employee level data. I've tried to create a set to only put Supervisor inside in a single worksheet, but all I can think of right now is to filter by EmployeeID to get the supervisor level data, but in this way, i'm not able to get the information in dashboard because i was using 'SupervisorID' to filter the supervisor.
Any idea would be helpful for me. Thank you in advance!
I'm having a hard time to aggregate supervisor's own performance into it.
If i filter by SupervisorID, the Tableau will still give me employee level data. I've tried to create a set to only put Supervisor inside in a single worksheet, but all I can think of right now is to filter by EmployeeID to get the supervisor level data, but in this way, i'm not able to get the information in dashboard because i was using 'SupervisorID' to filter the supervisor previously.
Can anybody think of a way for this situation? Any idea would be helpful for me. Thank you in advance!
Could you not filter by the role? This should show the same viz but with only the employees with "Supervisor" as the role.
Edit: I think I misread your need. It sounds like you want to show the supervisor with the total late mins for them and their reporting employees. I think that you might want to create a calculated field that shows the supervisor if the supervisorid is not null else show the employee name. In your example, this field would have lines 1,2, and 4 with "Johnny". You can then use this field in conjunction with your late minutes field. I think this may get you where you want to go.
I hope my question makes sense, I'll try to give as much info as possible.I should probably start off by saying this is the first access database (any database) I have ever done and my knowledge comes from trial and error as well as youtube and the occasional google search...NOOB
So I'm attempting to build a database using microsoft access (2007) for the first time (Student Records in my department). I have pulled in all the data I had available (names, major, graduate, advisor etc.) and made several appended tables for additional data using an append query (usually just pulling over name and ID# and major, and then adding the information that is related to the particular table).
Now I am going through the paper files (which we would like to get rid of) to update any missing data or add new students that we didn't have stored anywhere electronically.
I have created a form in which I can add new records or edit/add already available data that I need.
The problem that I have is that it pretty much pulls up everything I need except the occasional record (which I do a search in the search field on the bottom using the ID#) so I figure hey I must not have this student and add it, when I hit save it basically tells me this record can't be added as there already is a conflicted value. And when I check my table sure enough the record is there. In the form query where I check what tables the field's information is pulled from I have no criteria in there to filter any information out, the relationships overall are just based on the ID# (which is my primary key in all tables). When I check the data everything seems to be correct (not a wrong major, etc.) so I can't quite figure out why some records are not being pulled up.
My question is why and what can I do to fix it...
I hope my explanation is not to confusing. Thank you in advance.
I'm fairly new to using the Birt Report Designer and need to figure out how to generate a report from a SQLite database. I have suceeded in getting it to connect to the DB but am now unsure how to generate a report and the tutorials that I have found aren't of much help so far.
I have a template that was given to me by my employer that has a few fields, I'm wondering if these fieldnames (in the template) are supposed to match field names in the DB.
Also, when I go to Run->View Report-> As PDF I am unsure what I am supposed to enter for the field "User Key", does this correspond to a table name in the DB or something along these lines?
As of now, I have tried entering a table name but just a blank report is generated.
If anyone can point me to a good resource or help with this I would greatly appreciate it. Thanks
There are two books i could really advice:
BIRT - A Field Guide to Reporting
Integrating and Extending BIRT
and the Eclipse Help containing BIRT documentation.
I suppose the User Key could be report parameter (listed in Data Explorer window), which is passed to Data Set to select appropriate data. If I'm guessing right, check within a Data Set editor ("Parameters" tab and "Query" tab) where the User Key parameter goes in - probably to one of the table field in a WHERE clause. Parameters in a query are represented by question marks: SELECT * FROM fooTable WHERE barColumn = ?. Hope tracking this would lead to find out, what to enter to the parameter.
Additionally, ensure if your Data Set(s) is(are) connected correctly to your SQLite Data Source ("Data Source" tab in a Data Set editor).
Being as new as you are to BIRT, I would suggest building a couple of reports with the sample DB (Classic Models). There are many, many samples out there for you to use as a guide. Additionally, most tutorials will use the Classic Models data so you can follow right along. After you create a couple of practice reports (this should not take more than 30-45 minutes) the template you have been given will likely make A LOT more sense and allow you to make progress almost immediately.
If you are looking for a nice collection of tutorials and samples, be sure to check out Birt Exchange for Dev Share (samples) & tutorials.
As for the "User Key" this is almost certainly a report-level parameter used to filter the data set (as the previous answer points out).
Good Luck!