Security Event Handling & database management

Hello Floki,

depends on what you mean exactly by detected a virus. Central/Intercept X has the Threat Cases (formerly Root Cause Analysis) feature, there's no equivalent in SEC. Even TC doesn't return a verdict though, to quote from the article The information provided[...] does not necessarily require an action, but helps you to investigate [...]. Most detections (if you notice them at all) don't require investigation. SIEM tools offer help but have their limits and won't provide ideal results out-of-the-box.

historical data handling
AFAIK Events and acknowledged Alerts are deleted after one year (you can configure this in the console using the Console's Tools → Configure Reporting ... , tab Purge, outstanding Alerts are kept "forever", and outstanding errors are automatically acknowledged after 14 days. In addition there's the PurgeDB.exe tool.

Christian

Hello Floki,

depends on what you mean exactly by detected a virus. Central/Intercept X has the Threat Cases (formerly Root Cause Analysis) feature, there's no equivalent in SEC. Even TC doesn't return a verdict though, to quote from the article The information provided[...] does not necessarily require an action, but helps you to investigate [...]. Most detections (if you notice them at all) don't require investigation. SIEM tools offer help but have their limits and won't provide ideal results out-of-the-box.

historical data handling
AFAIK Events and acknowledged Alerts are deleted after one year (you can configure this in the console using the Console's Tools → Configure Reporting ... , tab Purge, outstanding Alerts are kept "forever", and outstanding errors are automatically acknowledged after 14 days. In addition there's the PurgeDB.exe tool.

Christian