To ensure effective and consistent monitoring, reporting, and handling of information security incidents, incident management capability is necessary for rapid detection, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring the organization’s services and systems.
SIRP’s Incident Management module helps analyze, respond, collaborate, and remediate time-sensitive incidents from inception till resolution to mitigate risks effectively and reduce response time.
Table of Contents |
|
| |
| |
| |
Dispositions
The disposition on an incident record is the current status or the final outcome of an incident. SIRP’s Incident Management module comprises of following dispositions:
Alert
Investigation
Incident
All
Through these dispositions, SIRP allows you to define a different set of fields and workflows, depending on the status and gathered data/evidence. The information to be supplied for each incident disposition is divided into the following sub-sections:
Information
Categorization
Analysis Summary
Evidence
Remediation
Alerts
Alerts in SIRP are signals that indicate a possible attack. Alerts can be either manually added by an analyst or automatically ingested from a SIEM (Security Information Event Management) solution or security control.
To access Incident Management Alerts, go to the Main Menu, select Incident Management, and click on the Alerts tab.
Main Menu > Incident Management > Alerts
You can View, Edit, and/or Delete any record by clicking on the ellipsis displayed in the Actions column.
Investigations
Investigation is the stage when an alert is evaluated and assessed by an analyst. All such alerts are displayed in the Investigations list, available in the Incident Management module.
To access Investigations, go to the Main Menu, select Incident Management, and click on Investigations.
Main Menu > Incident Management > Investigations
Incidents
The analyst changes the disposition of an alert or an investigation to an Incident when his analysis results in the confirmation of an attack or when some resolution or fix is deemed necessary.
The Incidents module in SIRP allows you to document critical information about an attack. The SOC and relevant parties use this information to identify the scope of the attack and its remediation.
Note: Incidents are opened when a certain action or remediation is required on an alert. So, in the Incidents module, an Incident also acts as a “Case”.
Main Menu > Incident Management > Investigations
All
In the "All" disposition, all alerts are visible regardless of what stage they are in the Incident Response Lifecycle.
Actions
Within the "ACTIONS" column, an ellipsis button is available for each incident. Clicking on this button opens a dropdown menu, offering the following options:
Task
Selecting this option opens a pop-up window named "Assign Tasks," revealing task details and assignees related to the incident.
View
Choosing this option redirects users to a detailed interface or a new page displaying all the details associated with the incident selected.
Edit
Allows you to Edit the Incident details.
Delete
Clicking on this button triggers a confirmation popup. Selecting 'OK' confirms the deletion of the intended record
Execute Playbook
Upon clicking this option, a pop-up window labeled 'Execute Playbook' appears. This window contains a dropdown list of all Enabled Playbooks within the SIRP. Users can select a playbook and execute it by clicking the 'Execute' button.
Create
You can add an alert, investigation, or incident by clicking on the Create button displayed at the top of each page. For each disposition, SIRP divides and gathers the required data in five sub-sections:
Information
Subject: This is the name or title of the record.
Priority: Set the priority based on how quickly the remediation needs to be performed. The three levels of priorities available in SIRP are:
Low
Medium
High
Status: Set the status based on the current status or outcome:
Open
Close
Deferred. etc
By default, the status is set to Open. Once the remediation is performed, the SOC Manager or a Senior Analyst can change the status to Close.
Description: Provide a brief description of the activity.
Start Date: The date when the work started on this particular alert.
Categorization
Members: These are the people who will receive notifications about this incident.
Category: Select a category depending on the type of attack:
Intrusion
Malware
Phishing
Policy violation, etc.
Note: Administrator can customize these categories. For more information, refer to the SIRP Administration Guide.
Subcategories: Each category is divided into subcategories to signify the exact attack within the main category.
Disposition: The disposition on an incident record is the current status or outcome of an incident. The following Dispositions are available in SIRP:
Alert
Investigation
Incident
Not an incident
Selecting Alert, Investigation, or Incident will show that record in the selected Disposition’s tab or stream.
Best Practice: Initially all incidents should be created as an Alert or Investigation by L1 Analyst. Depending on the results of the investigation, the senior analyst should confirm the activity and change the disposition to Incident.
Disposition Subcategory: Each disposition is further classified into three subcategories:
Confirmed
Deferred
Unidentified
Location: Select a location where the particular incident occurred. For example:
Primary Datacenter
Secondary Datacenter
DR Site
Note: The administrator can customize these locations. For more information, refer to the SIRP Administration Guide.
After completing each step, press the Next button that is displayed at the bottom of the page.
Analysis
The analysis section gathers the most critical piece of information. This is where the analyst supplies the details of his findings along with supporting arguments.
Alert Summary: A summary of key factors pointing towards a potentially malicious activity.
Owner/Custodian: Provide information about the custodian of an asset or the name of the department that will handle this incident.
Alert Date: The date when the Alert got triggered.
Detection Date: The date/time when the analyst detected the activity.
Alert Ended: Select Yes or No depending on whether multiple alerts of the same type are still being received or not.
Alert Duration: Select the duration between the first and the last alert.
Escalation Date: The date at which the incident is escalated to the concerned department or individual.
Severity: The severity of an alert can be selected from one of the four levels:
Low
Medium
High
Critical
Estimated Recovery Clock: Include details if downtime is observed.
Users Affected: Select the number of users affected by the activity.
Hosts Affected: Select the number of hosts affected by the activity.
Alert Type: Select the source of the alert e.g. SIEM, Manual review of logs, etc.
Note: The administrator can customize the list of Alert Types.
Evidence
Evidence Description: Provide a brief description of the supplied evidence or specify where the evidence is collected from.
Evidence: This section allows you to add artifacts or indicators of compromise (IOCs) about a particular alert, investigation, or incident. For example:
Source/Destination IP
URL
IP Address
Hash, etc.
The Attachment icon allows you to attach relevant screenshots. For example, SIEM-filtered search results or initial alert details.
Remediation
Affected Assets: Select the assets affected due to that particular incident.
Data compromised: Select Yes or No depending on if any data is found to be compromised as a result of the incident.
Damage Details: Write a brief detail of the damage. For example, OS corruption, hardware failure, reputation loss, etc.
Remediation Details: Suggest actionable steps for the remediation.
Implemented Remediation: Describe the remediation performed by the relevant department. (To be filled only when the incident is resolved and needs closure).
Root Cause Analysis: Provide details of the Root Cause Analysis completed
After adding all the information to the Remediation step, click on the Create button to save changes. This newly created record will be displayed in the stream of the selected Disposition i.e. Alerts, Investigations, or Incidents.
Tree Graph
This tab visualizes and correlates artifacts within an incident with other modules. It is one of the most important features of SIRP which provides correlation to the SOC team in terms of occurrences of particular artifacts and the number of times they have been seen in other modules of SIRP.
Workflows
SIRP helps define, prioritize, and drive standardized incident response activities according to a standard workflow. It allows an organization to streamline incident analysis and response procedures in a workflow format, such that each step to remediate the incident is available for an analyst, such as:
Analysis
Containment
Eradication
Recovery
Post-Incident
This keeps security analysts on the same page with interactive incident management.
For example, without the availability of proper workflow, a newly hired analyst may take too much time or cause a human error, while investigating or closing an incident.
Standardized workflows help analysts gain greater visibility so that every member can be more effective individually and the team can be more efficient as a whole.
Moreover, an analyst can be assigned to tasks wherever their efforts are required.
To access workflows, go to the Main Menu, select Incident Management, and click on Incidents. Select the Task under the Action column of the Incident.
Bulk Actions
In the Incident Management interface, users can efficiently manage multiple records through the convenient "Bulk Actions" feature located at the top right of the screen. This button serves as a dropdown menu, offering three primary options: Update, Delete, and Execute Playbook.
Update
SIRP allows analysts to update the status of multiple incidents (alerts, incidents, and investigations) at once. It also provides the option to create custom tickets and update them.
Select multiple items and click on the Bulk Update button at the top left of the Incident Management module.
This will open a pop-up window.
Enter the fields:
Priority
Severity
Status
Disposition
Sub Disposition (if any)
Category
Assign to
Remediation Details
Comment
Click Save.
Delete
To delete specific records, users must first mark the checkboxes next to the desired entries. Subsequently, from the "Bulk Actions" dropdown, select the 'Delete' option. Triggering this action prompts a confirmation pop-up window. Upon selecting 'OK,' all marked records are permanently removed.
Execute Playbook Action
Executing playbooks on selected records involves a two-step process. Initially, users must mark the checkboxes adjacent to the records intended for playbook execution. Following this, navigate to the "Bulk Actions" dropdown and choose 'Execute Playbook'.
This action triggers a pop-up window labeled "Execute Playbook," featuring a dropdown field. Within this field, users can choose from a list of enabled playbooks. Subsequently, selecting a playbook and clicking the 'Execute' button initiates the playbook on the chosen records.
Reports
SIRP also provides the option to generate reports for a specified period. To generate a report, click on the Generate Reports option that is available at the top of the Incident Management module tabs.
Select your desired time-period and Disposition. Then click on the Generate button. The PDF report will be generated and opened in a new browser tab. From there you can save it on your machine.
You can also export the complete details in a PDF or Excel report by clicking on the Export button available at the top right corner of the details page.
Incident Details
Once an Alert, Investigation, or Incident is created, the relevant individuals from different departments can add comments, and SOC leads can assign workflow-based tasks by clicking on the View button available under the Actions column.
The Incident View page comprises different sections and tabs, which are discussed below:
Incident Description
This tab provides details associated with an incident. These may include the following:
Description
Damage details
Analysis summary
Subcategories
Owner/custodian
Estimated Recovery Clock
Attack Duration
Escalation Date
Detection Method
Data Compromised
Users Affected
Hosts Affected
Close Date
Attack Ended
Timeline
The time serves as a comprehensive repository of the work history associated with a specific record, capturing a chronological sequence of events along with their corresponding dates and times. This feature provides users with valuable insights into the evolution and progression of the record's activities. To reach the timeline, the user must go to the Incident Management module, from Actions click on the VIEW button to view any record, and then at the bottom of the view screen there lies a Timeline tab.
Views
The Timeline Tab offers two distinct views to accommodate varying user preferences:
Time-Oriented View:
This view organizes events based on their chronological occurrence, presenting a sequential timeline of activities.
Users can easily track the temporal progression of events, gaining a clear understanding of the record's history in a time-ordered manner.
Log-Oriented View:
In this view, events are presented in a log-based format, emphasizing detailed information about each specific occurrence.
Users can delve into comprehensive logs of every event associated with the record, providing a detailed and exhaustive account of its history.
Log Generation
For each event that transpires within the record, the Timeline Tab automatically generates logs. These logs capture crucial information about the event, ensuring transparency and accountability in the management of the record.
The dual-view functionality of the Timeline Tab enhances user flexibility, allowing them to choose between a chronological overview or a detailed log-based analysis based on their specific needs. This feature provides an invaluable tool for tracking and understanding the historical context of a record, facilitating effective record management.
Artifacts
This tab lists all the artifacts/IOCs related to the incident. Analysts can use this tab to execute automation actions on any of the artifacts. The execution results are displayed at the bottom of the page.
Artifacts with supported actions will be highlighted with a dropdown option. To execute a new action, click on any artifact and it will display a list of applications with supported actions for the artifact. Mouse over the desired application and click on the desired action.
Affected Assets
This tab shows the list and details of all the assets tagged in the incident.
Remediation
This tab displays the remediation suggestions (provided at the time of creating an incident). Whereas, the implemented remediation section specifies the actual remediation done.
Comments
Users can use this section to communicate by adding comments. Users can also embed images and attach files with their comments.
Comment Types:
Public: These comments are visible to all users, regardless if they are assigned or are members of the alert or not.
Internal: These comments are only visible to users who are assigned or are members of an alert.
Private: Visible to only that user who has been tagged in the comment
Tasks
Depending on the phase (of the incident management lifecycle) at which the incident currently stands, and its category, tasks can be defined and assigned to a person or department either automatically or manually.
New tasks can be added by clicking on the Create Task button available on top within the Tasks tab.
Clicking on the button will open a popup with a form containing the following fields:
Name
Description
Start Date
Status: (Current status of the task)
Task Category: (One of the phases from the incident management lifecycle)
Analysis
Containment
Eradication
Recovery
Post-Incident
Assigned: The person to whom this task is assigned.
Incident: It denotes the incident to which the task pertains.
Choose files: Users can add a relevant screenshot (if applicable).
Click on the Create button to add the task to the task list.
Save Searches
This feature enables users to save their searches and filters to easily reload the same view in the future. Users can quickly apply saved filter templates instead of manually selecting each filter again.
Users can also set a default search for a specific container's disposition so that whenever they visit the same page again, they get the filtered data.
Using Searched Searches
1. Navigate to Incident Management and then to any disposition.
2. From the search bar, apply filters and sorting preferences to the table records based on your requirements.
3. Once the desired filters and sorting options are applied, click on the "Save Search" button.
4. Add a name or label for the new saved search template to easily identify it in the future and click on the ‘Submit’ button to save.
5. The saved search will be added to the search field's dropdown list for future use.
Applying Saved Searches
To apply a saved search template, open the search field's dropdown list
Select the desired saved search template from the list
The records list will automatically adjust to reflect the filters and sorting preferences saved in the selected template
Setting Default Saved Search
There is a "Star" icon adjacent to each Saved search value in the dropdown list. Click on that Star icon to set that Search as a default one.
The default Saved Search is automatically applied whenever the user opens that particular Container's disposition.
Resetting Filters
In the search field's dropdown list, there is a 'Reset' button. Clicking on it removes all the filters that were applied in the result of the Save search.
Deleting Saved Searches
Click on the 'Bin' icon adjacent to the Search name to delete the Saved search
Note: You cannot delete a Saved search that is being used in one of the scheduled Reports. To delete it, first delete the Report schedule.