Whow acknowledged alert #15330

GyciakasGh0st · 2025-12-18T08:42:16Z

GyciakasGh0st
Dec 18, 2025

The indexes .ds-logs-detections.alerts-so*

Has field event.acknowledged it show if alert was acknowledged or not .

But we can't find which will show which user acknowledged Alert. Maybe where is seperate index for that ?

cm-ops · 2025-12-19T19:15:58Z

cm-ops
Dec 19, 2025
Maintainer

You would need to find the acknowleded event in the SOC logs and find the identity_id Then Hunt on that to get the username in the kratos.audit log.

2 replies

GyciakasGh0st Jan 8, 2026
Author

Maybe can more specific for example i acknowlaged alert with soc_id dhammJsB6Unf0n_Ml8Wx i greped throw all logs no matches

cm-ops Jan 9, 2026
Maintainer

It's a manual process in the SOC GUI. In Alerts you need to find the field identity_id then pivor to Hunt and use the kratos.audit logs to find the user.

jertel · 2026-01-12T16:41:52Z

jertel
Jan 12, 2026
Maintainer

I've created a feature request to make this easier to lookup. We'll see about including it in an upcoming release.

#15373

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Whow acknowledged alert #15330

Uh oh!

{{title}}

Uh oh!

Replies: 2 comments 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Select a reply

Uh oh!

Whow acknowledged alert #15330

Uh oh!

GyciakasGh0st Dec 18, 2025

Replies: 2 comments · 2 replies

Uh oh!

cm-ops Dec 19, 2025 Maintainer

Uh oh!

GyciakasGh0st Jan 8, 2026 Author

Uh oh!

cm-ops Jan 9, 2026 Maintainer

Uh oh!

Uh oh!

jertel Jan 12, 2026 Maintainer

GyciakasGh0st
Dec 18, 2025

Replies: 2 comments 2 replies

cm-ops
Dec 19, 2025
Maintainer

GyciakasGh0st Jan 8, 2026
Author

cm-ops Jan 9, 2026
Maintainer

jertel
Jan 12, 2026
Maintainer