To ensure effective and consistent monitoring, reporting, and handling of information security incidents, incident management capability is necessary for rapid detection, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring the organization’s services and systems.
SIRP’s Incident Management module helps analyze, respond, collaborate, and remediate time-sensitive incidents from inception till resolution to mitigate risks effectively and reduce response time.
Table of Contents |
|
| |
| |
| |
|
|
Dispositions
The disposition on an incident record is the current status or the final outcome of an incident. SIRP’s Incident Management module comprises of following dispositions:
Alert
Investigation
Incident
All
Through these dispositions, SIRP allows you to define a different set of fields and workflows, depending on the status and gathered data/evidence. The information to be supplied for each incident disposition is divided into the following sub-sections:
Information
Categorization
Analysis Summary
Evidence
Remediation
Alerts
Alerts in SIRP are signals that indicate a possible attack. Alerts can be either manually added by an analyst or automatically ingested from a SIEM (Security Information Event Management) solution or security control.
To access Incident Management Alerts, go to the Main Menu, select Incident Management, and click on the Alerts tab.
Main Menu > Incident Management > Alerts
You can View, Edit, and/or Delete any record by clicking on the ellipsis displayed in the Actions column.
Investigations
Investigation is the stage when an alert is evaluated and assessed by an analyst. All such alerts are displayed in the Investigations list, available in the Incident Management module.
To access Investigations, go to the Main Menu, select Incident Management, and click on Investigations.
Main Menu > Incident Management > Investigations
Incidents
The analyst changes the disposition of an alert or an investigation to an Incident when his analysis results in the confirmation of an attack or when some resolution or fix is deemed necessary.
The Incidents module in SIRP allows you to document critical information about an attack. The SOC and relevant parties use this information to identify the scope of the attack and its remediation.
Note: Incidents are opened when a certain action or remediation is required on an alert. So, in the Incidents module, an Incident also acts as a “Case”.
Main Menu > Incident Management > Investigations
All
In the "All" disposition, all alerts are visible regardless of what stage they are in the Incident Response Lifecycle.
Actions
Within the "ACTIONS" column, an ellipsis button is available for each incident. Clicking on this button opens a dropdown menu, offering the following options:
Task
Selecting this option opens a pop-up window named "Assign Tasks," revealing task details and assignees related to the incident.
View
Choosing this option redirects users to a detailed interface or a new page displaying all the details associated with the incident selected.
Edit
Just like when creating an alert, investigation, or incident, all these items can be edited once they are created. To initiate editing, users can either click on the "Edit" button from the action column dropdown and make changes from there, or they can navigate to the record and directly click on the "Edit" button located at the top of the screen.
Delete
Clicking on this button triggers a confirmation popup. Selecting 'OK' confirms the deletion of the intended record
Execute Playbook
Upon clicking this option, a pop-up window labeled 'Execute Playbook' appears. This window contains a dropdown list of all Enabled Playbooks within the SIRP. Users can select a playbook and execute it by clicking the 'Execute' button.
Create
You can add an alert, investigation, or incident by clicking on the Create button displayed at the top of each page. For each disposition, SIRP divides and gathers the required data in five sub-sections:
Information
Subject: This is the name or title of the record.
Priority: Set the priority based on how quickly the remediation needs to be performed. The three levels of priorities available in SIRP are:
Low
Medium
High
Status: Set the status based on the current status or outcome:
Open
Close
Deferred. etc
By default, the status is set to Open. Once the remediation is performed, the SOC Manager or a Senior Analyst can change the status to Close.
Source ID: Access the relevant disposition viewing Source ID field within the Edit form.
Source ID shows SIEM ID from where alert is ingested.
Description: Provide a brief description of the activity.
Start Date: The date when the work started on this particular alert.
Categorization
Members: These are the people who will receive notifications about this incident.
Category: Select a category depending on the type of attack:
Intrusion
Malware
Phishing
Policy violation, etc.
Note: Administrator can customize these categories. For more information, refer to the SIRP Administration Guide.
Subcategories: Each category is divided into subcategories to signify the exact attack within the main category.
Disposition: The disposition on an incident record is the current status or outcome of an incident. The following Dispositions are available in SIRP:
Alert
Investigation
Incident
Not an incident
Selecting Alert, Investigation, or Incident will show that record in the selected Disposition’s tab or stream.
Best Practice: Initially all incidents should be created as an Alert or Investigation by L1 Analyst. Depending on the results of the investigation, the senior analyst should confirm the activity and change the disposition to Incident.
Disposition Subcategory: Each disposition is further classified into three subcategories:
Confirmed
Deferred
Unidentified
Location: Select a location where the particular incident occurred. For example:
Primary Datacenter
Secondary Datacenter
DR Site
Note: The administrator can customize these locations. For more information, refer to the SIRP Administration Guide.
After completing each step, press the Next button that is displayed at the bottom of the page.
Analysis
The analysis section gathers the most critical piece of information. This is where the analyst supplies the details of his findings along with supporting arguments.
Alert Summary: A summary of key factors pointing towards a potentially malicious activity.
Owner/Custodian: Provide information about the custodian of an asset or the name of the department that will handle this incident.
Alert Date: The date when the Alert got triggered.
Detection Date: The date/time when the analyst detected the activity.
Alert Ended: Select Yes or No depending on whether multiple alerts of the same type are still being received or not.
Alert Duration: Select the duration between the first and the last alert.
Escalation Date: The date at which the incident is escalated to the concerned department or individual.
Severity: The severity of an alert can be selected from one of the four levels:
Low
Medium
High
Critical
Estimated Recovery Clock: Include details if downtime is observed.
Users Affected: Select the number of users affected by the activity.
Hosts Affected: Select the number of hosts affected by the activity.
Alert Type: Select the source of the alert e.g. SIEM, Manual review of logs, etc.
Note: The administrator can customize the list of Alert Types.
Evidence
Evidence Description: Provide a brief description of the supplied evidence or specify where the evidence is collected from.
Evidence: This section allows you to add artifacts or indicators of compromise (IOCs) about a particular alert, investigation, or incident. For example:
Source/Destination IP
URL
IP Address
Hash, etc.
The Attachment icon allows you to attach relevant screenshots. For example, SIEM-filtered search results or initial alert details.
Remediation
Affected Assets: Select the assets affected due to that particular incident.
Data compromised: Select Yes or No depending on if any data is found to be compromised as a result of the incident.
Damage Details: Write a brief detail of the damage. For example, OS corruption, hardware failure, reputation loss, etc.
Remediation Details: Suggest actionable steps for the remediation.
Implemented Remediation: Describe the remediation performed by the relevant department. (To be filled only when the incident is resolved and needs closure).
Root Cause Analysis: Provide details of the Root Cause Analysis completed
After adding all the information to the Remediation step, click on the Create button to save changes. This newly created record will be displayed in the stream of the selected Disposition i.e. Alerts, Investigations, or Incidents.
Lesson Learned, Contained by & Containment
The Incident Management module provides users with a convenient way to create and add Lesson Learned, Contained by & Containment Status in any ticket on-the-go without navigating to the admin module. Within the Create/Update drawer, users can easily add Lesson Learned, Contained By, and Containment Status entries directly from the Remediation category.
Accessing the Feature:
Open the Create/Update drawer within the Incident Management module.
Navigate to the Remediation category.
Locate the "+" icon positioned adjacent to the Lesson Learned, Contained By, and Containment Status fields.
Click on the "+" icon.
A text input field will appear for the respective remediation action.
Enter the desired value directly into the field.
Click on the Create/Update button located at the bottom of the form (drawer).
Upon clicking Create/Update, the newly added value will be:
Automatically included in the dropdown list for future selection.
Saved in the respective field for immediate use and reference.
This streamlined process enhances user efficiency by eliminating the need to navigate to the admin module for remediation management tasks.
Tree Graph
This tab visualizes and correlates artifacts within an incident with other modules. It is one of the most important features of SIRP which provides correlation to the SOC team in terms of occurrences of particular artifacts and the number of times they have been seen in other modules of SIRP.
Workflows
SIRP helps define, prioritize, and drive standardized incident response activities according to a standard workflow. It allows an organization to streamline incident analysis and response procedures in a workflow format, such that each step to remediate the incident is available for an analyst, such as:
Analysis
Containment
Eradication
Recovery
Post-Incident
This keeps security analysts on the same page with interactive incident management.
For example, without the availability of proper workflow, a newly hired analyst may take too much time or cause a human error, while investigating or closing an incident.
Standardized workflows help analysts gain greater visibility so that every member can be more effective individually and the team can be more efficient as a whole.
Moreover, an analyst can be assigned to tasks wherever their efforts are required.
To access workflows, go to the Main Menu, select Incident Management, and click on Incidents. Select the Task under the Action column of the Incident.
Bulk Actions
In the Incident Management interface, users can efficiently manage multiple records through the convenient "Bulk Actions" feature located at the top right of the screen. This button serves as a dropdown menu, offering three primary options: Update, Delete, and Execute Playbook.
Update
SIRP allows analysts to update the status of multiple incidents (alerts, incidents, and investigations) at once. It also provides the option to create custom tickets and update them.
Select multiple items and click on the Bulk Update button at the top left of the Incident Management module.
This will open a pop-up window.
Enter the fields:
Priority
Severity
Status
Disposition
Sub Disposition (if any)
Category
Assign to
Remediation Details
Comment
Click Save.
Delete
To delete specific records, users must first mark the checkboxes next to the desired entries. Subsequently, from the "Bulk Actions" dropdown, select the 'Delete' option. Triggering this action prompts a confirmation pop-up window. Upon selecting 'OK,' all marked records are permanently removed.
Execute Playbook Action
Executing playbooks on selected records involves a two-step process. Initially, users must mark the checkboxes adjacent to the records intended for playbook execution. Following this, navigate to the "Bulk Actions" dropdown and choose 'Execute Playbook'.
This action triggers a pop-up window labeled "Execute Playbook," featuring a dropdown field. Within this field, users can choose from a list of enabled playbooks. Subsequently, selecting a playbook and clicking the 'Execute' button initiates the playbook on the chosen records.
Reports
SIRP also provides the option to generate reports for a specified period. To generate a report, click on the Generate Reports option that is available at the top of the Incident Management module tabs.
Select your desired time-period and Disposition. Then click on the Generate button. The PDF report will be generated and opened in a new browser tab. From there you can save it on your machine.
You can also export the complete details in a PDF or Excel report by clicking on the Export button available at the top right corner of the details page.
Incident View
Once an Alert, Investigation, or Incident is created, the relevant individuals from different departments can add comments, and SOC leads can assign workflow-based tasks by clicking on the View button available under the Actions column.
The Incident View page comprises different sections and tabs, which are discussed below:
Incident Description
This tab provides details associated with an incident. These may include the following:
Description
Damage details
Analysis summary
Subcategories
Owner/custodian
Estimated Recovery Clock
Attack Duration
Escalation Date
Detection Method
Data Compromised
Users Affected
Hosts Affected
Close Date
Attack Ended
Timeline
The time serves as a comprehensive repository of the work history associated with a specific record, capturing a chronological sequence of events along with their corresponding dates, times and Alert ID. This feature provides users with valuable insights into the evolution and progression of the record's activities. To reach the timeline, the user must go to the Incident Management module, from Actions click on the VIEW button to view any record, and then at the bottom of the view screen there lies a Timeline tab.
Views
The Timeline Tab offers two distinct views to accommodate varying user preferences:
Time-Oriented View:
This view organizes events based on their chronological occurrence, presenting a sequential timeline of activities.
Users can easily track the temporal progression of events, gaining a clear understanding of the record's history in a time-ordered manner.
Log-Oriented View:
In this view, events are presented in a log-based format, emphasizing detailed information about each specific occurrence.
Users can delve into comprehensive logs of every event associated with the record, providing a detailed and exhaustive account of its history.
Log Generation
For each event that transpires within the record, the Timeline Tab automatically generates logs. These logs capture crucial information about the event, ensuring transparency and accountability in the management of the record.
The dual-view functionality of the Timeline Tab enhances user flexibility, allowing them to choose between a chronological overview or a detailed log-based analysis based on their specific needs. This feature provides an invaluable tool for tracking and understanding the historical context of a record, facilitating effective record management.
Members
The Members Tab within the Incident view facilitates the addition of team members to an opened Alert. This feature enables collaboration and information sharing among team members assigned to specific incidents.
Usage
Locate the 'Members' widget/tab on the right side of the screen and click on the 'Add Team Members' button.
A dropdown list containing all members available in the organization will appear. Use the search bar within the dropdown to look for specific team members.
Click on the selected member to add them to the incident ticket. Once the member is added, a toast notification will appear to confirm
The added team member will appear in the Member's Tab
Artifacts
This tab lists all the artifacts/IOCs related to the incident. Analysts can use this tab to execute automation actions on any of the artifacts. The execution results are displayed at the bottom of the page.
Artifacts with supported actions will be highlighted with a dropdown option. To execute a new action, click on any artifact and it will display a list of applications with supported actions for the artifact. Mouse over the desired application and click on the desired action.
Error Code Search in App Logs
Users can easily access app error logs directly from alerts, investigations & Incidents. It eliminates the need to manually search through large amounts of data to find specific error codes, enhancing user experience and efficiency.
Navigate to the Artifacts tab in the bottom section of the view screen. Execute an action from the Artifacts tab.
Locate the executed action in the Automation section inside the artifact tab.
Click on the settings icon and select Show Raw Output.
In the Raw section, click on the view eye icon.
This will display the App Logs containing the generated app error log.
Affected Assets
This tab shows the list and details of all the assets tagged in the incident.
Remediation
This tab displays the remediation suggestions (provided at the time of creating an incident). Whereas, the implemented remediation section specifies the actual remediation done.
Comments
Users can use this section to communicate by adding comments. Users can also embed images and attach files with their comments.
Comment Types:
Public: These comments are visible to all users, regardless if they are assigned or are members of the alert or not.
Internal: These comments are only visible to users who are assigned or are members of an alert.
Private: Visible to only that user who has been tagged in the comment
Simply type "@" followed by username within the comment to tag user and to trigger a notification on bell icon. It will also generate email notification for the tagged user.
Tasks
Depending on the phase (of the incident management lifecycle) at which the incident currently stands, and its category, tasks can be defined and assigned to a person or department either automatically or manually.
New tasks can be added by clicking on the Create Task button available on top within the Tasks tab.
Clicking on the button will open a popup with a form containing the following fields:
Name
Description
Start Date
Status: (Current status of the task)
Task Category: (One of the phases from the incident management lifecycle)
Analysis
Containment
Eradication
Recovery
Post-Incident
Assigned: The person to whom this task is assigned.
Incident: It denotes the incident to which the task pertains.
Choose files: Users can add a relevant screenshot (if applicable).
Click on the Create button to add the task to the task list.
Playbook Logs
The Playbook Logs Tab provides users with a detailed and organized presentation of every playbook execution associated with the record under examination. Presented in a tabular form, this feature offers comprehensive information, facilitating a clear understanding of the playbooks' impact on the record's lifecycle
Table Structure
The table in the Playbooks Logs tab has the following columns:
Playbook: Provides details and a link to the executed playbook.
Status: Indicates whether the playbook has been executed or is in progress.
Scheduled: Displays a timestamp indicating when the playbook was executed.
Action: Features an eye icon that redirects to a detailed log of the playbook.
Buttons in Incident View
In the incident management's container view screen, located at the top right, there is a button named "Email". By clicking this button, users can generate a detailed report of the ticket currently being viewed on the screen.
The email button provides two types of templates to which you can send emails in:
Notify: This template offers three ways to notify a user about the details of the ticket.
PDF Attachments: Sends a PDF file to the user's email.
Inline Email Body: Includes all the details of the ticket in the email body.
Don’t send details: Sends only an email notification to the user.
Follow-up: This template includes the ticket's ID, subject, and any attached notes.
Run Playbook
On the view screen of any disposition in Incident Management, located at the top right, there is a button labeled ‘Run Playbook’. This button allows users to execute any playbook on that specific container instance.
To execute a playbook, click on the ‘Run Playbook’ button, which will prompt a window named “Execute Playbook”. In this window, select the desired playbook from the dropdown menu and click on the execute button.
Upon successful execution, a toast notification will appear. Additionally, users can view the log of the executed playbook in the 'Playbook Logs' tab located in the bottom header of the view screen.
Disposition Dropdown
In the Alert Viewscreen, there is a dropdown button located beside the edit button. This dropdown allows users to change the disposition of the ticket currently being viewed.
To perform this action, click on the dropdown button and select the desired disposition into which you want to convert the alert.
Download files from closed incidents
We can download files in a closed status incident, following are the downloading types which are accessible for any user.
1. Exporting a PDF Report of Closed Incident:
Purpose: Generate a PDF document containing information about a closed
incident for future reference or record-keeping.Availability: This feature is accessible within the specific closed incident view
Steps:
Navigate to the desired closed incident.
Click the “Export” button.
The incident details will be downloaded as a PDF file.
2. Downloading Evidence File:
Purpose: Download the evidence files uploaded of the incident.
Availability: These files are accessible directly from the closed incident’s view.
Steps:
Navigate to the desired closed incident.
View the selected Incident
Under the “Evidence Description” click on the icon of attached file
Dispense Ticket Button
A button in the shape of a square lattice located in the upper right corner of the Alert view allows users to send all details of a specific incident/case to preconfigured ITSM tools. This action streamlines the process of dispatching relevant information to external systems for further processing.
Usage
Click on the square lattice, and a dropdown menu will appear with a list of available applications. Select the desired application from the list. A prompt window labeled 'Configuration' will appear.
Provide the necessary configuration details in the 'Configuration' window and click on the Execute button. This action will dispatch the information as a ticket to your desired ITSM.
Upon successful execution, a toaster message will appear confirming the completion of the dispatch action.
Multi-Select Search In Incident Management
The multi-select search functionality within the Incident Management (IM) module is the powerful feature that allows users to efficiently identify and address critical incidents by filtering based on multiple criteria simultaneously.
By implementing the Multi-Select Search in Incident Management on the status dropdown, users can efficiently manage incidents and streamline their workflow, leading to improved productivity and better incident resolution.
Dropdown Selection:
Locate the status dropdown menu. Click on it to reveal the available status options.
Selecting Multiple Statuses:
To select multiple status, click on the corresponding option in the dropdown.
Viewing Filtered Results:
After selecting the desired statuses, observe how the list of incidents updates to reflect the chosen filters. You will now see incidents that match any of the selected status levels.
Clearing Filters:
If you wish to start over or remove all selected status filters, simply deselect each status.
Save Searches
This feature enables users to save their searches and filters to easily reload the same view in the future. Users can quickly apply saved filter templates instead of manually selecting each filter again.
Users can also set a default search for a specific container's disposition so that whenever they visit the same page again, they get the filtered data.
Using Searched Searches
1. Navigate to Incident Management and then to any disposition.
2. From the search bar, apply filters and sorting preferences to the table records based on your requirements.
3. Once the desired filters and sorting options are applied, click on the "Save Search" button.
4. Add a name or label for the new saved search template to easily identify it in the future and click on the ‘Submit’ button to save.
5. The saved search will be added to the search field's dropdown list for future use.
Applying Saved Searches
To apply a saved search template, open the search field's dropdown list
Select the desired saved search template from the list
The records list will automatically adjust to reflect the filters and sorting preferences saved in the selected template
Setting Default Saved Search
There is a "Star" icon adjacent to each Saved search value in the dropdown list. Click on that Star icon to set that Search as a default one.
The default Saved Search is automatically applied whenever the user opens that particular Container's disposition.
Resetting Filters
In the search field's dropdown list, there is a 'Reset' button. Clicking on it removes all the filters that were applied in the result of the Save search.
Deleting Saved Searches
Click on the 'Bin' icon adjacent to the Search name to delete the Saved search
Note: You cannot delete a Saved search that is being used in one of the scheduled Reports. To delete it, first delete the Report schedule.
Quick Stats Widgets
The Quick Stats Widgets feature enhances the user experience by offering collapsible widgets that provide rapid access to key statistics. These widgets are strategically positioned at the top of the Alerts, Investigations, and Incidents container, ensuring easy visibility and accessibility. Users can now obtain a swift overview of record trends, which are dynamically generated based on the duration and search query selected by the user.