02-03-2023 02:09 AM
Assume alert has been generated in the XDR, if the IP involved in the artifacts are raised as malicious or suspicious by some of the security vendors in the VT(virus total) or shown as malware by wildfire. Is that really the IP is suspicious? Please explain
02-04-2023 01:40 PM
Hi @VineethArumulla ,
I believe it is the opposite (if I may put it this way).
- XDR could generate Alert for various reasons.
- This alert is associated with Incident. Incident is simply "container"/aggregator for related alerts
- XDR console will collect the key artifacts from those alerts and present them in this tab. This is mainly to give you quick way to see all the files, IP addresses and users that are involved in this incident.
- In addition to summarizing all the files and IP addresses, XDR will give you additional context for those by showing threat intelligence information (TI) from VirusTotal and WildFire.
Do not expect XDR to raise alert if your host tries to connect to IP that have high suspicious score on VirusTotal.
If you want XDR to raise alert if known suspicious IP/file, domain is seen in your organization, you need to create IOC. You can integrate another Threat Intelligence Platform, which will automatically import IOCs to your XDR, but this is completely different from Key Assets & Artifacts tab. The latter is only to give you additional context
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!