Data Dictionary

Wiki > Data Dictionary

5 DATA DICTIONARY MODIFICATIONS
Changes to the default Archer SecOps 1.1 will be required to satisfy requirements of Allianz.
5.1 Incident Record
5.1.1 Overview -> Incident Summary Box
• Add a field called “Operational Entity” – selection box of approximately 75-100 OE names.
• Modify field display name of Incident Summary and Incident title to include “public name” versus the incident details will be hidden to reporting and management. This is intended to be analyst notes and not formal or “polished”.
5.1.2 Overview -> Incident Status Box
• Modify Priority field to use “Low, Medium, High, Critical”. Align with incident response plan.
• A false positive field was discussed with Allianz – however, the results tab will handle the false positive designation.

5.1.3 Overview -> Initial Threat Classification Box
• Modify the box title to “VERIS and Cyber Kill Chain”
• Add field called “Cyber Kill Chain Penetration”
o Drop down with values ordered in sequential: “Recon, Weaponization, Delivery, Exploit, Install, C2, Exfil”
• Hide the field name “Threat valid”
5.1.4 Overview -> Incident Reporting Box
• Hide “Declared Incident”
• Move “Attach to InfoSec Briefing” to “Results” tab
• Move “Confidential Incident” to the top in the Incident Summary box
5.1.5 Alerts
• TBD – change items to ArcSight terminology.
5.1.6 Incident Response Tasks
• Hide entire tab (will map to wiki in other tabs)
5.1.7 Incident Journal
• This tab should be hidden from non-SOC members (OE’s).
5.1.8 Forensic Analysis
• Hide entire tab
5.1.9 Impact Analysis
• Hide entire tab (2015 task)
5.1.10 Remediation -> Remediation Action Required
• Modify “Specify Remediation Action” to remove SOC/IR Program Improvement
• When a user selects containment – containment options dropdown should appear
o Turnoff network connectivity
o Acquire disk (pull disk)
o TBD
• When a user selects Eradication – a drop down should appear with following options:
o Remove file(s) per documented process
o Send to IT helpdesk to re-image
o Other
5.1.11 Results -> Incident Results Box
• Hide “Confidence Rating” field
5.1.12 Results -> Controls Efficiency
• Hide “controls Efficiency box”
5.1.13 Results -> Actor, Tactics, Techniques
• Have the box displayed versus drill into fields
5.1.14 Results -> Target Details
• Have the box displayed versus drill into fields