Home

New to SIEM - not sure what to do with new case

%3CLINGO-SUB%20id%3D%22lingo-sub-570119%22%20slang%3D%22en-US%22%3ENew%20to%20SIEM%20-%20not%20sure%20what%20to%20do%20with%20new%20case%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-570119%22%20slang%3D%22en-US%22%3E%3CP%3EI%20setup%20my%20SIEM%20with%20Data%20Connector%20to%20MS%20Security%20Events%20and%20then%20installed%20%22Failed%20Login%20Attempts%20within%2010%20minutes%22%20alert.%20Then%20I%20triggered%20this%20alert%20which%20resulted%20in%20a%20Case.%20Now%20what%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20can't%20seem%20to%20drill%20down%20to%20find%20out%20which%20account%20or%20host%20was%20part%20of%20this%20alert.%20Maybe%20I%20don't%20have%20entities%20mapped%20correctly%2C%20but%20I%20was%20hoping%20I'd%20have%20point%20and%20click%20access%20to%20the%20details.%20Actually%20I%20was%20somewhat%20surprised%20that%20I%20had%20to%20go%20out%20to%20a%20Github%20repo%20to%20find%20some%20prebuilt%20alerts.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20feeling%20like%20I'm%20in%20over%20my%20head%20and%20that%20I'm%20either%20not%20using%20this%20correctly%20or%20it's%20just%20a%20framework%20on%20which%20I'm%20expected%20to%20build%20out%20what%20I%20need.%20If%20it's%20the%20latter%2C%20can%20anyone%20recommend%20how%20I%20can%20get%20up%20to%20speed%20on%20this%20work%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-572029%22%20slang%3D%22en-US%22%3ERE%3A%20New%20to%20SIEM%20-%20not%20sure%20what%20to%20do%20with%20new%20case%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-572029%22%20slang%3D%22en-US%22%3EYou%20can%20look%20at%20the%20%22Hunting%20with%20Jupyter%20Notebooks%22%20articles%20published%20here%20to%20give%20you%20an%20idea%20of%20how%20to%20use%20Notebooks%20to%20perform%20a%20more%20in-depth%20analysis%3C%2FLINGO-BODY%3E
William3J
Regular Visitor

I setup my SIEM with Data Connector to MS Security Events and then installed "Failed Login Attempts within 10 minutes" alert. Then I triggered this alert which resulted in a Case. Now what?

 

I can't seem to drill down to find out which account or host was part of this alert. Maybe I don't have entities mapped correctly, but I was hoping I'd have point and click access to the details. Actually I was somewhat surprised that I had to go out to a Github repo to find some prebuilt alerts.

 

I'm feeling like I'm in over my head and that I'm either not using this correctly or it's just a framework on which I'm expected to build out what I need. If it's the latter, can anyone recommend how I can get up to speed on this work?

 

1 Reply
You can look at the "Hunting with Jupyter Notebooks" articles published here to give you an idea of how to use Notebooks to perform a more in-depth analysis
Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
29 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies