04-13-2023 05:48 AM
Hi All,
There are incidents on XDR Console which have alert dated 10-12 days back. Need to understand the time gap and why this incident was not observed on the same day.
Thank you
04-13-2023 11:32 PM
Hi @Shahwaz_Md ,
What @KanwarSingh01 was hoping for was to provide more information about the alert that was triggered:
- Alert name
- Alert source
- Alert action
What posibility I can think of is that you have created BIOC rule or added IOC. When you add BIOC or IOC, XDR console will start searching all the existing logs in the data lake and will trigger retrospective alert. The purpose of this is to alert you if at any time in the past any of those new indicators were observed in your environment. To sum up - creating indicator IOC or BIOC will trigger automatic search for these indicators in the EDR data in the data lake, not only future detections.
I am not completely sure if new BIOCs from Palo Alto (via content update) will also trigger retrospective alert, but it is also possible that content update have triggered your alert.
"I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it."
Alert will always trigger incident immidetially when it is received by XDR console (well technically it will either create new alert or it will decide to aggregate it to existing incident, but still it will immediately after alert is received by the console)
04-13-2023 03:55 PM
Hi, Is it possible for you to post more details on your asked question?
04-13-2023 10:01 PM
Hi Kanwar,
There is one incident which got triggered on 28th march but it has an alert dated 12th march. I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it.
Thanks
04-13-2023 11:32 PM
Hi @Shahwaz_Md ,
What @KanwarSingh01 was hoping for was to provide more information about the alert that was triggered:
- Alert name
- Alert source
- Alert action
What posibility I can think of is that you have created BIOC rule or added IOC. When you add BIOC or IOC, XDR console will start searching all the existing logs in the data lake and will trigger retrospective alert. The purpose of this is to alert you if at any time in the past any of those new indicators were observed in your environment. To sum up - creating indicator IOC or BIOC will trigger automatic search for these indicators in the EDR data in the data lake, not only future detections.
I am not completely sure if new BIOCs from Palo Alto (via content update) will also trigger retrospective alert, but it is also possible that content update have triggered your alert.
"I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it."
Alert will always trigger incident immidetially when it is received by XDR console (well technically it will either create new alert or it will decide to aggregate it to existing incident, but still it will immediately after alert is received by the console)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
