topic Re: Incident Promotions from Secure Endpoint to XDR in Endpoint Security

Incident Promotions from Secure Endpoint to XDR

TimBTim — Thu, 05 Sep 2024 11:58:37 GMT

For anyone else using XDR.

Since the change occurred where all alerts from SE are sent XDR we have had little to zero incidents in XDR with SE observable's. While this may be a benefit and working as designed to only promote what would be considered actionable, it also has me wondering.

Curious if anyone else is using XDR and experiencing the same?

Re: Incident Promotions from Secure Endpoint to XDR

Ken Stieers — Thu, 05 Sep 2024 12:40:38 GMT

Yes. Seeing the same thing here too.

Re: Incident Promotions from Secure Endpoint to XDR

Matthew Franks — Thu, 05 Sep 2024 12:43:53 GMT

I have an internal request created to improve the documentation around this data flow but don't currently have a timeline on when a change will be made to the documentation. I can share that part of the reason the change was made was so Secure Endpoint events will get processed with additional contextual information rather than just being Secure Endpoint events duplicated and displayed in XDR. I know that isn't much information, but hopefully that helps and I'll keep pushing to get the documentation updated with more details.

Thanks,

-Matt

Re: Incident Promotions from Secure Endpoint to XDR

TimBTim — Thu, 05 Sep 2024 15:31:23 GMT

Thanks. Really appreciate the reply and sanity check.

Re: Incident Promotions from Secure Endpoint to XDR

TimBTim — Thu, 05 Sep 2024 15:40:33 GMT

Thanks. I appreciate the reply on this. Yes, I would agree that documentation would help.

I am sure it is to make incidents more valuable in terms of actionable investigation, but have a little better understanding and some context would be helpful.