cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

Hi @Shahwaz_Md ,

What @KanwarSingh01  was hoping for was to provide more information about the alert that was triggered:

- Alert name

- Alert source

- Alert action

 

What posibility I can think of is that you have created BIOC rule or added IOC. When you add BIOC or IOC, XDR console will start searching all the existing logs in the data lake and will trigger retrospective alert. The purpose of this is to alert you if at any time in the past any of those new indicators were observed in your environment. To sum up - creating indicator IOC or BIOC will trigger automatic search for these indicators in the EDR data in the data lake, not only future detections.

 

I am not completely sure if new BIOCs from Palo Alto (via content update) will also trigger retrospective alert, but it is also possible that content update have triggered your alert.

 

"I am trying to understand how much time does it take for an alert to become an incident and what is the critieria for it."

Alert will always trigger incident immidetially when it is received by XDR console (well technically it will either create new alert or it will decide to aggregate it to existing incident, but still it will immediately after alert is received by the console)

View solution in original post

Who rated this post