- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
08-22-2024 04:09 AM
I would like to see a list of rules regarding the types of incidents I receive in XSIAM.
I am not talking about IOC/BIOC
Can anyone help with the path ?
08-22-2024 07:24 AM
Whatever incidents are triggering into XSIAM console , on what basis it is triggered ?
Need to understand the logic behind that incident ?
Which conditions met to trigger that incident ?
So under incident details, is there any option to check incident triggered on which parameter (IP , URL, file etc)
example :
"Credentials gathering protection" incident - where i can find Rule logic for this incident.
08-22-2024 07:30 AM
This is a complex question. For alerts triggered by a correlation rule, the answer is simple, however, other detections require some analysis to understand what happened. The first place to start is with the Alert Name and Alert Description, these will give you more human-readable information about the alert. As an example, the Credential Gathering Protection module may fire alerts that have a description such as "Mimikatz pattern" or "MiniDumpWriteDump() on lsass.exe". Using this as a clue, we can open the Causality Card for the alert and investigate the chain, as well as the EDR data collected for the alert to understand what happened.
I would encourage you to reach out to your Customer Success team for a deeper dive discussion on this.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!