I setup my SIEM with Data Connector to MS Security Events and then installed "Failed Login Attempts within 10 minutes" alert. Then I triggered this alert which resulted in a Case. Now what?
I can't seem to drill down to find out which account or host was part of this alert. Maybe I don't have entities mapped correctly, but I was hoping I'd have point and click access to the details. Actually I was somewhat surprised that I had to go out to a Github repo to find some prebuilt alerts.
I'm feeling like I'm in over my head and that I'm either not using this correctly or it's just a framework on which I'm expected to build out what I need. If it's the latter, can anyone recommend how I can get up to speed on this work?