XDR: EVENT ID Search in BDS Platform
An Alarm raised by SOC? Curious to know what the alarm is and why SOC raised it?
We provide complete transparency to check what event/alarm was raised by the SOC to the Partner/Client
Pre – Requisites:
1. Login Credentials
2. Portal URL to login
3. Event ID (Ideally mentioned in the ticket)
4. Timestamp the ticket was created from the ticket
Once you logged into the tenant with the credentials. At this time the event/alarm that SOC raised will have an Event status of closed.
To Do:
Change the time interval to cover the timestamp mentioned in the ticket
Change the Event Status to dash dash (--) which would cover all the events to search whether the event is open or closed.
In order to search for the Event ID there is a specific process/way to find the event in the database of the specific tenant.
Change the Event status as you see below:
Before you paste the Event ID use: _id:
Then use the search bar to paste the Event ID.
The below is the example search
When we press the search button then you should see the event
If the event is raised from the Kill chain the below should highlight the specific event you searched for.
The event/alarm can be raised from multiple places in the UI.
You can also check the event in the Threat Hunting section.
You can also change the index to traffic to check the event if SOC raised the event to the IH not from the security events.
Related Articles
XDR: Vendor Advisory for SolarWinds Orion Products - Countermeasure guidelines
December 2020 Detect SolarWinds SUNBURST Backdoor with Stellar Cyber Open-XDR Platform On December 13 2020, multiple vendors such as FireEye and Microsoft reported emerging threats from a nation-state threat actor who compromised SolarWinds, and ...XDR G SUITE INTEGRATION
Pre-Requisites: You will need Domain Administrator Privileges to configure the G-Suite Integration within BDS. Preparation Before configuring G-Suite in data processor, user would need to enable this feature in the google admin dashboard. 1. ...XDR-Syslog Forwarding- Ports To Send To
Firewall Ports to Open for Log Ingestion Network and security sensors require open inbound UDP ports on your firewall in order to receive and parse logs from devices on your network. The ports are already open by default on the sensor, so you must ...XDR: Deploying The Windows Agent
Overview The Windows agent collects relevant security data from Windows event logs running. Forwarding Windows event logs provides necessary log data required for many compliance regulations and increases overall visibility within the organization. ...XDR: Deploying the Linux Agent Sensor - Ubuntu/CentOS/RedHat/Debian Deployment
Table of contents Overview The Linux Agent on the servers has the capability to detect various events. Due to the nature of the agent and complexity of what needs to be seen from the server is crucial. The Linux Agent gives us the scope in the ...