I have created and conducted some forensic cases on Cortex XDR, but one thing that has always intrigued me is the "Alert" tab in the Forensic Investigation section. Does this tab contain alerts generated by the automatic artifact analysis feature based on behavior rules? And how can I utilize this feature, as I have never seen any alerts appear in this tab?
Thanks you for your time in this topic,
I performed triage and threat hunting across numerous machines, resulting in thousands of ingested files. While I'm certain there are suspicious activities present, no alerts were triggered. Are the rules used to trigger alerts for these files based on BIOC? Is it possible for me to write custom rules to trigger alerts for ingested files? Are there any prerequisites I need to fulfill before enabling this functionality?
After a day of research, I understand that data is ingested into Cortex XDR using the Cortex XDR Forensics Add-on with forensics datasets. If I want to query this data, I need to call the datasets I highlighted in the image below. However, in BIOC, only the xdr_data and cloud_audit_log datasets can be used. Therefore, it's impossible to write BIOC rules for data from the Forensics Add-on and only IOCs can be used to create alerts for them. Is my understanding correct?
Thank you for taking the time for me.
