This module is used for warehousing the parent incident records that come over from SIEM, other integrations (e.g. Data Loss Prevention Platforms, Email System) and/or manual entry (telephone, SMTP, form, law enforcement). Additionally, all incident related workflow will be handled within this module.

The module will provide a central location for managing incidents, both those created from aggregated security alerts and those that are manually reported:

  • Ingest aggregated incidents and events from SIEM.
  • Tie the imported incident to contextual asset and business information.
  • View all incident data as well as individual incident events (alerts).
  • Manage the complete incident handling workflow, from assigning a SOC or regional analyst to review and assess the incident, escalating an incident to a higher-level analyst for further investigation and analysis, and creating and assigning response and remediation tasks.
  • Maintain relationships to the following additional applications
    • Security Alerts
    • Incident Response Tasks
    • Incident Journal
    • Devices
    • Findings
  • Security Alerts will be used to warehouse the payload or ‘event’ level data for each parent incident in the Security Incidents application. The Security Alerts application will store the individual alerts reported by SIEM that make up an incident (including manual “right-click” push). In the Security Alerts application, you will do the following:
    • View the details about the security alert, such as source and destination device information, the severity level, threat source, event description, and enriched business context.
  • Incident Investigations Application – In our deployment, this application will be used to track investigative activities for multiple like incidents.
  • The Incident Investigations application will be used to perform all “parent” level investigative activities when multiple like incidents are reported. Individual incidents will be stored in the Security Incidents application and cross-referenced into the Incident Investigations application. The SOC analyst will have this parent record to report on all activities related to the group of related incidents, while individual remediation tasks related to the individual incident will still be tracked and maintained in the Security Incidents application.
  • Incident Journal Application – In our deployment, this application will be used to enter notes and actions during the course of handling an incident.