This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Alerting on Retrospective IOC Matches

Posted on 09-05-2024 03:57 AM
will_garnett
Bronze 1
Bronze 1
Reply posted on --/--/---- --:-- AM

I'm trying to understand how alerting to SOAR works when there's a retrospective match on an IOC. Specifically, when a new IOC is added and it matches against an older event, at what point do the detection rules run, and how are alerts generated in this scenario?

 

Any help would be much appreciated.

0 1 322
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
ionutm
Staff
Reply posted on --/--/---- --:-- AM

The creation of SOAR alerts are based on the detection rules firing in the SIEM. So if you create rule with logic that checks for a certain IOC and meets the criteria then that rule will fire a SIEM alert which is ingested into the SOAR.

0 Likes
Top Solution Authors
View all