evebox icon indicating copy to clipboard operation
evebox copied to clipboard

Published 20 hours ago verified publisher icon jasonish

Feature: Archive events for time range

Open LaramieSmile opened this issue 7 years ago • 5 comments

Would it be possible to make it so you can archive alert IDs for the entire selected time range and not just the visible events on screen?

LaramieSmile avatar Jun 15 '17 21:06 LaramieSmile

Or/also, the ability to whitelist SIDs so evebox won't ever display them. There are a number of SIDs I'm interested in aggregate numbers for, but don't care to see the individual events and just clutter things up.

LaramieSmile avatar Jun 15 '17 21:06 LaramieSmile

Would it be possible to make it so you can archive alert IDs for the entire selected time range and not just the visible events on screen?

Yeah, I've thought about this. Like GMail lets you apply an operation to all matching, even if not displayed on the screen (I feature I use). This shouldn't be too hard so perhaps I'll look sooner than later.

jasonish avatar Jun 15 '17 21:06 jasonish

Or/also, the ability to whitelist SIDs so evebox won't ever display them. There are a number of SIDs I'm interested in aggregate numbers for, but don't care to see the individual events and just clutter things up.

Yes, this is planned. Its pending me completing PostgreSQL support tho. But the idea would be to auto-archive events matching a filter where the filter is the same aggregation used in the event display (sid, src ip, dest ip). So they would never show up in the inbox, but show up in searches, etc. Auto archiving, muting, not sure what to call it.

jasonish avatar Jun 15 '17 21:06 jasonish

Or/also, the ability to whitelist SIDs so evebox won't ever display them. There are a number of SIDs I'm interested in aggregate numbers for, but don't care to see the individual events and just clutter things up. Yes, this is planned. Its pending me completing PostgreSQL support tho. But the idea would be to auto-archive events matching a filter where the filter is the same aggregation used in the event display (sid, src ip, dest ip). So they would never show up in the inbox, but show up in searches, etc. Auto archiving, muting, not sure what to call it.

Created a feature for issue for this one: https://github.com/jasonish/evebox/issues/52

jasonish avatar Jun 19 '17 06:06 jasonish

Would it be possible to make it so you can archive alert IDs for the entire selected time range and not just the visible events on screen?

@LaramieSmile Trying out a dropdown like this: 6255944561590272

jasonish avatar Jun 19 '17 06:06 jasonish

Closing as notfixed due to age. Don't see myself getting around to this.

jasonish avatar Mar 10 '23 20:03 jasonish