New to SIEM - not sure what to do with new case

Regular Visitor

I setup my SIEM with Data Connector to MS Security Events and then installed "Failed Login Attempts within 10 minutes" alert. Then I triggered this alert which resulted in a Case. Now what?


I can't seem to drill down to find out which account or host was part of this alert. Maybe I don't have entities mapped correctly, but I was hoping I'd have point and click access to the details. Actually I was somewhat surprised that I had to go out to a Github repo to find some prebuilt alerts.


I'm feeling like I'm in over my head and that I'm either not using this correctly or it's just a framework on which I'm expected to build out what I need. If it's the latter, can anyone recommend how I can get up to speed on this work?


1 Reply
You can look at the "Hunting with Jupyter Notebooks" articles published here to give you an idea of how to use Notebooks to perform a more in-depth analysis