An Alarm raised by SOC? Curious to know what the alarm is and why SOC raised it?
We provide complete transparency to check what event/alarm was raised by the SOC to the Partner/Client
Pre – Requisites:
1. Login Credentials
2. Portal URL to login
3. Event ID (Ideally mentioned in the ticket)
4. Timestamp the ticket was created from the ticket
Once you logged into the tenant with the credentials. At this time the event/alarm that SOC raised will have an Event status of closed.
To Do:
Change the time interval to cover the timestamp mentioned in the ticket
Change the Event Status to dash dash (--) which would cover all the events to search whether the event is open or closed.
In order to search for the Event ID there is a specific process/way to find the event in the database of the specific tenant.
Change the Event status as you see below:
Before you paste the Event ID use: _id:
Then use the search bar to paste the Event ID.
The below is the example search
When we press the search button then you should see the event
If the event is raised from the Kill chain the below should highlight the specific event you searched for.
The event/alarm can be raised from multiple places in the UI.
You can also check the event in the Threat Hunting section.
You can also change the index to traffic to check the event if SOC raised the event to the IH not from the security events.