Investigate contributing events - Administrator Guide - Cortex XSIAM - Cortex - Security Operations

Cortex XSIAM Documentation

Product
Cortex XSIAM
Creation date
2024-03-06
Last date published
2025-01-19
Category
Administrator Guide
Abstract

You can investigate the events created by an alert.

When investigating an alert generated by a correlation rule, you can view all of the events created for the alert. You can have up to 1000 events per correlation rule.

In addition, if the correlation rule includes a drilldown query you can run the query in the Query Builder. The drilldown query provides additional information about an alert for further investigation.

How to investigate contributing events
  1. From the Alerts page, locate an alert created by a correlation rule.

  2. Right-click the row, and select Manage AlertInvestigate Contributing Events.

  3. (Optional) Open the drilldown query, if available.

    Right-click the row and select Manage AlertOpen Drilldown Query.

    The drilldown query can accept parameters from the alert output for the correlation rule. In addition, the alert time frame used to run the drilldown query provides more details about the alert generated by the correlation rule. The alert time frame is the minimum and maximum timestamps of the events for the alert. If there is only one event, the event timestamp is the time frame used for the query.