Incidents
An incident is an act of violation of an organization’s explicit or implicit security policies. Incidents include threat warnings and already executed attacks. In Respond (CFTR), you can create incidents and assign them to the security analysts for investigation and response. Some of the common examples of incidents are:
Attempts to gain unauthorized access to systems or data
Unauthorized use of systems or data
Making changes to a system or program without the knowledge of the administrator
Denial of services attack
Attacks that cause application, database, and networking system failure
Incident Management Flow
The following illustration shows the overall flow of the incident management process in Respond:
 |
Create Incident: When your organization encounters a threat, create an incident to respond to the threat. For more information, see Create Incident.
Assign a user: Assign a security analyst to respond to the incident. The assigned security analyst must be a member of the assigned user group. For more information, see Assign User.
Analyze Preparation Phase: Change the status of the incident to In Progress, and analyze the details provided in the preparation phase, and start investigating.
Incident Response: Move between various phases of the incident response and provide the required details. For more information, see Incident Response.
Associate Actions: Add actions for the tasks that are required to be executed as part of the incident response. For example, blocking IP addresses, installing antivirus software, sending advisory emails, and more. For more information, see Create Actions for Incidents.
Close Incident: After responding to the incident, change the status of the incident to Closed.
You can also use the following features to respond to incidents effectively:
Mission Control: Use the mission control tools to manage incident response activities, such as adding notes, connecting related modules and indicators, and more. For more information, see Mission Control.
Attachments: Upload the external files that are related to the incident. For more information, see Add Attachments in Incidents.
Playbooks: Run the Orchestrate Playbooks to perform security automation and orchestration tasks in the incident response process. For more information, see Run Playbooks.
Note
When Respond triggers a rule to run a playbook based on the incident status or phase change, you can find the rule and playbook execution details in the Activity Logs and the playbook Run Logs respectively.
Knowledge Base: Add knowledge base articles for future reference and training based on the learning from the incident response. For more information, see Create Knowledge Base Article.
Miscellaneous: The following features are used to track the incident response:
Enhancements: Add the enhancements that must be executed to prevent similar threats in the future. To know more about how to create an enhancement, see Create Enhancement.
PIRs: Add the Priority Intel Requirements (PIRs) that are required to evaluate the incident response effectiveness. To know more about how to create a PIR, see Create PIR.
Cost Tracking: Track the cost incurred by the organization due to the incident. For more information, see Cost Tracking.
Time Tracking: Track the time spent by the security analysts to respond to the incident. For more information, see Time Tracking.