Investigate contributing events - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2024-10-13
Category
Administrator Guide
Abstract

You can investigate the events created by an alert.

When managing alerts generated by a correlation rule, you can view all the events created for this alert. You can have up to 1000 events per correlation rule. In addition, if the alert generated for this correlation rule includes a drilldown query, you can run the query in the Query Builder. A drilldown query provides additional information about the alert for further investigation.

The drilldown XQL query can accept parameters from the alert output for the correlation rule. In addition, the alert time frame used to run the drilldown query provides more details about the alert generated by the correlation rule. The alert time frame is the minimum and maximum timestamps of the events for the alert. If there is only one event, the event timestamp is the time frame used for the query.

How to investigate contributing events
  1. From the Alerts page, locate the alert you want to investigate contributing events.

  2. Right-click the row, and select Manage AlertInvestigate Contributing Events.

  3. (Optional) Open the drilldown query, if available.

    Right-click the row and select Manage AlertOpen Drilldown Query or Manage AlertInvestigate Contributing Events.