Incidents
An incident is an act of violation of an organization’s explicit or implicit security policies. Incidents include threat warnings and already executed attacks. In Respond, you can create incidents and assign them to the security analysts to investigate and respond. Some of the common examples of incidents are:
Attempts to gain unauthorized access to systems or data
Unauthorized use of systems or data
Making changes to a system or program without the knowledge of the administrator
Denial of services attack
Attacks that cause application, database, and networking system failure
Incident Management Flow
The following illustration shows the overall flow of the incident management process in Respond:
 |
Create Incident: When your organization encounters a threat, analysts can create an incident with the necessary details to investigate and respond to the threat. For more information, see Create Incident.
Assign a user: Assign a security analyst to respond to the incident. The assigned security analyst must be a member of the assigned user group. For more information, see Assign User.
Analyze Preparation Phase: Change the incident's status to In Progress, analyze the details provided in the preparation phase, and start investigating.
Incident Response: After you create an incident, you can view different phases associated with the incident. In every phase, enter the required details and move to the next phase. For more information, see Incident Response. You can use Connect the Dots to connect related threat intel and components to the incident, which helps you gain contextual information and respond accordingly. For more information, see Connect the Dots.
Associate Actions: Create actions for the tasks that must be completed as part of the incident response. For example, blocking IP addresses, installing antivirus software, sending advisory emails, and more. For more information, see Create Actions for Incidents.
Close Incident: After closing the actions and adding the required details in the incident phases, change the status of the incident to Closed.
You can also use the following features to respond to incidents effectively:
Mission Control: Use mission control tools such as adding notes, connecting related modules and indicators, and more to manage incident response activities. For more information, see Mission Control.
Attachments: Upload the external files that are related to the incident. For more information, see Add Attachments in Incidents.
Playbooks: Run related Orchestrate playbooks to perform security automation and orchestration tasks in the incident response process. For more information, see Run Playbooks.
Note
When a rule triggers a playbook based on the conditions configured in Rule Engine, such as the incident status or phase change, you can view the rule and playbook execution details in Activity Logs and playbook Run Logs.
Knowledge Base: Add Knowledge Base articles for future reference and training based on the learnings while responding to the incident. For more information, see Create Knowledge Base Article.
Miscellaneous: The following features are used to track the incident response:
Enhancements: Add enhancements that must be executed to prevent similar threats in the future. For more information, see Create Enhancement.
PIRs: Add Priority Intel Requirements (PIRs) to request security information or approvals, and assign security team members to provide the requested information or approval. To know more about how to create a PIR, see Create PIR.
Cost Tracking: Track the cost incurred by the organization due to the incident. For more information, see Cost Tracking.
Time Tracking: Track the time spent by the security analysts to respond to the incident. For more information, see Time Tracking.
Incident Response Layouts
After you create an incident, you can choose from the following two layouts to proceed with the subsequent stages of the incident response process.
New Layout: The new layout offers a streamlined interface for improved navigation across tabs, enhancing user experience. It provides easy access to major features and is integrated with AI to provide suggestions for faster incident response. For more information, see Incident Response (New Layout).
Classic Layout (Default): The classic layout retains the conventional interface, offering users a familiar experience as they navigate through multiple tabs to respond effectively to incidents.