I can find very little information on SEC to distinguish if an alert has been triggered by an on-access scan or by a scheduled scan. I know that Sophos has this knowledge as I can find this information on the email alerts that are sent by SEC.i.e scan: on-access or Daily, .... But I'd like to be able to retrieve this information also from the SEC logs/database to build use cases for the SIEM on top of it. Thanks
↧