I’m working on adding more info to the ExtraHop Detection SIEM Connector - LEEF trigger that sends detections to QRadar (our SIEM) and while doing so I noticed that the descriptions for detections with a device as an offender or victim look like the following:
device:24643sent a request to a database server outside the network. Investigate to determine if the server is malicious or if
device:24643is compromised. For example, if
device:24643is compromised, an attacker might be serving malware from the malicious server.
Is the above expected or is there something wrong with the trigger?