I need a solution
I'm trying to figure out some way to get value out of the GIN watchlists. By themselves the value is farily low due to high false positive rates, but I was ...
I need a solution
I'm trying to write a query that will show me any unassigned incidents for a certain time period (actually, that is just the first step, what I'm really ...
This issue has been solved
I need a solution
Can anyone confirm that Windows events with event id 562, 682 and 615 have a mechansim of "application exploit"?
event ID 562 = object ...
This issue has been solved
I need a solution
We have created a custom rule to trigger on Symantec SEP alerts. We want to include the "actual action" from the alerts in the notification. Unfortunately, ...
I need a solution
Can anyone provide some clarity around how to use regex matching in a correlation rule? I found no reference to it in the 4.7 rules guide at all (oddly enough I did ...
I need a solution
Can someone confirm whether they have a source IP address for any Windows logon events? Do a query with a filter of "Mechanisms contains login" and ...
I need a solution
We are struggling with the apparent lack of consistency in the parsing and storing of event data into columns for each device type. Is there a base set of columns we ...
I need a solution
I have the rule below. "Correlate By" is set to none. I want a new incident each and every time this event is seen. I keep getting "incident ...
I need a solution
I've got a ton of "ip watchlist destination" and "ip watchlist source" incidents. I've been watching them with curiousity for a few ...