Incident Response
Before responding to an incident, you should know the details of the incident. You can view the incident details that are added while creating the incident in the Preparation phase under Response. Analyze the details to understand the requirements of the threat response and perform the necessary tasks to respond to the incident.
You can also view some basic details of the incident on the right sidebar, such as:
Overview: Displays the incident ID, the incident workflow that is being used by the incident, time to detect, resolution SLA, created and last updated details, and the labels that are added to categorize the incident. You can also add and remove labels by clicking Edit next to Labels.
Connect the Dots: Provides a quick view of various modules linked to the incident. Click a module to view the list of connected components. You can also click Add to connect a module.
Threat Intel: Provides a quick view of various indicators linked to the incident. Click an indicator type to view the list of linked indicators. You can also click Add to connect an indicator.
Notes: Provides a quick view of the notes added to the incident. You can also click Add to add a note to the incident.
Playbook Requires Input: When the Orchestrate playbooks are run in an incident, and if they require any input data to run, this feature is enabled which sends you alerts to provide the input data. With this feature, you can directly access the playbooks from CFTR to provide input data.
Note
You can view this feature if Orchestrate integration is enabled in Admin Panel > Configurations > Basic Configuration > Integrations > CywareOrchestrate.
During the incident response, you can also view the incident Summary under Response to get a quick overview of the incident response progress. For more information, see View Incident Summary.
You must assign a user to an incident, who will investigate and respond to the incident. Only the assigned user can update the details of an incident. You can reassign the incident to different users in various phases of the incident response. For more information about how to assign a user, see Assign User.
Note
Only the assigned group members can assign a user to an incident.
Incident Response Flow
The following illustration shows the overall incident response steps that the assigned user performs.
 |
Analyze Preparation Phase Details
As the assigned user, before starting the investigation and further incident response, analyze the incident details provided by the creator of the incident in the Preparation phase. After analyzing the details provided in the Preparation phase, do one of the following:
If a similar incident already exists in CFTR with the same response requirements, then merge the incident with the existing incident (parent incident) as a child incident. Merged incidents do not need a separate incident response and will be automatically closed when the parent incident is closed. For more information, see the Merged Incidents section of Mission Control.
If the incident is not merged, then move to the next phase and investigate as per the phase requirements.
 |
Enter Incident Phase Details
An incident response process includes multiple phases based on the nature of an incident. The phases that are applicable to an incident depend on the incident workflow that is being used by the incident. Each phase includes a set of fields that must be entered before moving to the next phase and subsequently closing the incident.
Note
Incident workflow is automatically assigned to an incident as per the workflow mapping configured by your admin. For more information, see Configure Incident Workflows.
You can view the phases that are applicable to an incident under Response. Each phase displays the following details:
Phase flow type: Displays the phase flow type of the incident workflow that is being used for the incident. There are two types of phase flow:
Linear Flow: You can only move to the next phase after entering all the details in a phase.
Non-linear Flow: You can move to any phase after entering all the details in a phase.
Phase fields: Displays the fields that must be entered by the assigned user.
Actions to be closed: Displays the number of associated actions that are to be closed.
To enter the details in a phase, do the following:
Go to an incident phase.
Hover over a field and click Edit.
Enter the appropriate details in the field.
Click Save.
To enter the details in another phase, do one of the following:
For Linear Flow: Click Move to Next Phase.
For Non-linear Flow: Click Change Phase and select a phase.
Associate Actions with Incidents
While investigating the details of an incident phase, if a task must be performed to respond to the threat, you can create an action and associate it with the incident phase. For more information, see Create Action.
Close Incident
After responding to an incident, close the incident. For more information, see Close Incident.
You can also create a knowledge base article and associate it with the incident to document the learning from the incident. For more information, see Knowledge Base.