Huntress incident reports don't fit the traditional SIEM model. Typically, SIEMs are meant to store a stream of raw events and run triggers on those events in order to respond to anomalous activity. It also gives security analysts the ability to review the historic and surrounding events. Since these alerts are unfiltered, they require further review to understand the context of the situation and to decide if the event is actually a security incident or not.
The incident reports Huntress generates have already been vetted by our ThreatOps team. Either we investigated something that appeared anomalous and generated an incident or we found something we had previously seen and knew was malicious. In both cases, these alerts have been analyzed and deemed an incident. The incident report that Huntress generates contains details on how to remediate. In most cases, it doesn't make sense to include the actionable Huntress incident reports with the raw events that are generated and logged to a SIEM.
Comments
0 comments
Please sign in to leave a comment.