Incident reported late on Console

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Incident reported late on Console

L3 Networker

Hi All,

 

There are incidents on XDR Console which have alert dated 10-12 days back. Need to understand the time gap and why this incident was not observed on the same day.

 

Thank you

 

1 accepted solution

Accepted Solutions

Hi @Shahwaz_Md ,

What @KanwarSingh01  was hoping for was to provide more information about the alert that was triggered:

- Alert name

- Alert source

- Alert action

 

What posibility I can think of is that you have created BIOC rule or added IOC. When you add BIOC or IOC, XDR console will start searching all the existing logs in the data lake and will trigger retrospective alert. The purpose of this is to alert you if at any time in the past any of those new indicators were observed in your environment. To sum up - creating indicator IOC or BIOC will trigger automatic search for these indicators in the EDR data in the data lake, not only future detections.

 

I am not completely sure if new BIOCs from Palo Alto (via content update) will also trigger retrospective alert, but it is also possible that content update have triggered your alert.

 

"I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it."

Alert will always trigger incident immidetially when it is received by XDR console (well technically it will either create new alert or it will decide to aggregate it to existing incident, but still it will immediately after alert is received by the console)

View solution in original post

3 REPLIES 3

L3 Networker

Hi, Is it possible for you to post more details on your asked question?

Kind Regards
KS

L3 Networker

Hi Kanwar,

 

There is one incident which got triggered on 28th march but it has an alert dated 12th march. I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it.

 

Thanks

Hi @Shahwaz_Md ,

What @KanwarSingh01  was hoping for was to provide more information about the alert that was triggered:

- Alert name

- Alert source

- Alert action

 

What posibility I can think of is that you have created BIOC rule or added IOC. When you add BIOC or IOC, XDR console will start searching all the existing logs in the data lake and will trigger retrospective alert. The purpose of this is to alert you if at any time in the past any of those new indicators were observed in your environment. To sum up - creating indicator IOC or BIOC will trigger automatic search for these indicators in the EDR data in the data lake, not only future detections.

 

I am not completely sure if new BIOCs from Palo Alto (via content update) will also trigger retrospective alert, but it is also possible that content update have triggered your alert.

 

"I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it."

Alert will always trigger incident immidetially when it is received by XDR console (well technically it will either create new alert or it will decide to aggregate it to existing incident, but still it will immediately after alert is received by the console)

  • 1 accepted solution
  • 889 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!