https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/rule-list/m-p/595629#M71 <P>Whatever incidents are triggering into XSIAM console , on what basis it is triggered ?</P> <P>Need to understand the logic behind that incident ?</P> <P>Which conditions met to trigger that incident ?</P> <P>&nbsp;</P> <P>So under incident details, is there any option to check incident triggered on which parameter (IP , URL, file etc)</P> <P>&nbsp;</P> <P>example :</P> <P>"Credentials gathering protection" incident -&nbsp; where i can find Rule logic for this incident.</P> Thu, 22 Aug 2024 14:24:14 GMT Vishal.raut 2024-08-22T14:24:14Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/rule-list/m-p/595611#M68 <P><SPAN>I&nbsp;</SPAN><STRONG>would like</STRONG><SPAN>&nbsp;to&nbsp;</SPAN><STRONG>see a list of rules regarding</STRONG><SPAN>&nbsp;the&nbsp;</SPAN><STRONG>types of</STRONG><SPAN>&nbsp;incidents&nbsp;</SPAN><STRONG>I receive</STRONG><SPAN>&nbsp;in&nbsp;</SPAN><STRONG>XSIAM.</STRONG></P> <P><STRONG>I am not talking about IOC/BIOC&nbsp;</STRONG></P> <P>&nbsp;</P> <P><STRONG>Can anyone help with the path ?</STRONG></P> Thu, 22 Aug 2024 11:09:06 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/rule-list/m-p/595611#M68 Vishal.raut 2024-08-22T11:09:06Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/rule-list/m-p/595626#M69 <P>Can you please clarify what you mean by rules?&nbsp; Are you asking for detection rules?</P> Thu, 22 Aug 2024 14:13:49 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/rule-list/m-p/595626#M69 afurze 2024-08-22T14:13:49Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/rule-list/m-p/595629#M71 <P>Whatever incidents are triggering into XSIAM console , on what basis it is triggered ?</P> <P>Need to understand the logic behind that incident ?</P> <P>Which conditions met to trigger that incident ?</P> <P>&nbsp;</P> <P>So under incident details, is there any option to check incident triggered on which parameter (IP , URL, file etc)</P> <P>&nbsp;</P> <P>example :</P> <P>"Credentials gathering protection" incident -&nbsp; where i can find Rule logic for this incident.</P> Thu, 22 Aug 2024 14:24:14 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/rule-list/m-p/595629#M71 Vishal.raut 2024-08-22T14:24:14Z https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/rule-list/m-p/595630#M72 <P>This is a complex question.&nbsp; For alerts triggered by a correlation rule, the answer is simple, however, other detections require some analysis to understand what happened.&nbsp; The first place to start is with the Alert Name and Alert Description, these will give you more human-readable information about the alert.&nbsp; As an example, the Credential Gathering Protection module may fire alerts that have a description such as "Mimikatz pattern" or "MiniDumpWriteDump() on lsass.exe".&nbsp; Using this as a clue, we can open the Causality Card for the alert and investigate the chain, as well as the EDR data collected for the alert to understand what happened.</P> <P>&nbsp;</P> <P>I would encourage you to reach out to your Customer Success team for a deeper dive discussion on this.</P> Thu, 22 Aug 2024 14:30:58 GMT https://live.paloaltonetworks.com/t5/cortex-xsiam-discussions/rule-list/m-p/595630#M72 afurze 2024-08-22T14:30:58Z