We are running RSA SA, ESA and Archer. In Archer I have an alert for: possible_webshell grouped by source IP: xxx.xx.xxx.xxx, the destination IP:xx.xx.xxx.xxx and the rule:possible_webshell. I go to SA and do an investigation. Now what? How do I confirm whether this is real or nothing to worry about? I need to know this stuff but do not know where to turn to interpret the alerts, not jus for this one but for others too.
HELP - John