"Suspicious Binary Incident" alert

[iansk]

From a customer:

It looks like the alert type is not a static name for incidents (eg "Incident alert"), but changes based on the type of incident. In my case, the alert type was "Suspicious Binary incident".

Before my SIEM was looking for "Incident alert" as the type (since that is the convention used for other alert types). Now I have the SIEM looking for the word "incident" in the alert type. Can you confirm whether or not "incident" will be in the type for all of the different incident types? For example, "Backdoor Admin incident", "Brute force incident", etc?

Also I didn't see anything for "Suspicious Binary" on your incident documentation. Is it possible to add that?

Tasks:

• Update the docs to provide better guidance on how to configure your SIEM for incidents
• Explain what "suspicious binary" means.