How would Incident Context be referenced in an alert War Room task or alert playbook task?
Which attributes can be used as featured fields?
SCENARIO:
A security analyst has been assigned a ticket from the help desk stating that users are experiencing errors when attempting to open files on a specific network share. These errors state that the file format cannot be opened. IT has verified that the file server is online and functioning, but that all files have unusual extensions attached to them.
The security analyst reviews alerts within Cortex XSIAM and identifies malicious activity related to a possible ransomware attack on the file server. This incident is then escalated to the incident response team for further investigation.
Upon reviewing the incident, the responders confirm that ransomware was successfully executed on the file server. Other details of the attack are noted below:
• An unpatched vulnerability on an externally facing web server was exploited for initial access
• The attackers successfully used Mimikatz to dump sensitive credentials that were used for privilege escalation
• PowerShell was used on a Windows server for additional discovery, as well as lateral movement to other systems
• The attackers executed SystemBC RAT on multiple systems to maintain remote access
• Ransomware payload was downloaded on the file server via an external site "file io"
QUESTION STATEMENT:
Which forensics artifact collected by Cortex XSIAM will help the responders identify what the attackers were looking for during the discovery phase of the attack?
An on-demand malware scan of a Windows workstation using the Cortex XDR agent is successful and detects three malicious files. An analyst attempts further investigation of the files by right-clicking on the scan result, selecting "Additional data," then "View related alerts," but no alerts are reported.
What is the reason for this outcome?
What is the expected behavior when querying a data model with no specific fields specified in the query?
