Create Incident
When your organization encounters a threat, you can create an incident in CFTR and assign a security group and an analyst to investigate and respond to the threat.
Note
Integrate Orchestrate with Respond to automate incident creation through Orchestrate Playbooks. For more information, see Create Incidents from Orchestrate Playbook.
Before you Start
Ensure that you have Create/Update permission for Incidents.
Steps
To create an incident in Respond, follow these steps:
On the top app bar, click +New and select Incident.
On Title, enter a title that best describes the incident. For example, Received a phishing email.
In Incident Details, enter the details of the incident. The fields marked with an asterisk (*) are mandatory, and all the mandatory fields must be entered to create an incident in Open state.
Note
The fields under Incident Details may differ based on the fields configured by your administrator in Admin Panel > Form Management > Incident > Incident Workflows.
Description: Enter a description that best describes the key details of the incident. For example, A phishing mail was received from john.doe@sampledomain.com with the subject “Important Announcement. You can add up to 30,000 characters.
Business Impact: Enter the business impact caused to your organization due to the incident. For example, Financial Loss. Some of the suggested values are:
Branding Impact
Business Disruption
Data Theft
Financial Loss
IP Theft
No Impact
Business Unit(s) Impacted: Select the business units that are impacted by the incident. The selected business units will be assigned for the incident and users with access to these business units only can view this incident.
Assigned Group: Select a CFTR user group to assign the incident. Only CFTR users from the selected CFTR user group can be assigned to the Incident. For example, P1 security group.
Assigned User: Select a user to investigate and respond to the incident. For example, John Doe.
Incident Date: Enter the date when the incident occurred. This helps in sorting incidents according to the occurring dates.
Severity: Select a severity level for the incident. This helps in grouping the incidents based on the severity level. The severity level can be mapped with incident type to tag SLA (Service Level Agreement) due dates and necessary escalations for handling the incident. The available severity levels are:
Unknown
Low
Medium
High
Critical
Crisis
Detection Date: Enter the date when the incident was detected as malicious. You can sort incidents by their detection date.
Sources: Select the sources of the incident. For example, Email- infosec.
Applicable Compliance: Enter the compliance standards that apply to the incident. Some of the compliance standards are:
Payment Card Industry (PCI) security standard
Sarbanes–Oxley Act (SOX) audit standards
Kill Chain Phase: Select a kill chain phase of the incident based on the stage of the incident. For example, exploitation. This helps you analyze each step of the attack in line with the cyber kill chain stages. The standard phases of a Cyber Kill Chain are:
Action on Objectives
Command and Control
Delivery
Exploitation
Installation
Reconnaissance
Incident Type: Select the incident type.For example, phishing. Incident type can be mapped with a severity level to set up due dates for Severity Level to tag SLA (Service Level Agreement) and necessary escalations for handling the Incident. Some of the predefined incident types are:
APT
Error
Hacking
Improper Disposal
IP Spoofing
Lost Device
Malware
Network Scanning
Phishing
Spamming
Spearphishing
System Misuse
Use Account Compromise
Website Defacement
Other
Location(s) Impacted: Enter the locations impacted by the incident. The selected locations will be assigned for the incident and only users with access to these locations can view the incident.
Tactic-Technique-SubTechnique: Click +Add to add the Tactics, Techniques, and Sub-techniques used by malware. The Tactic and its appropriate Technique are automatically mapped and shown in the field drop-down values using the Mitre ATT&CK Navigator tool.
(Optional) To protect the confidential information entered in the incident, select Protected on the right. This ensures that users within the assigned user group can only modify the incident details. For more information, see Protect Incidents.
(Optional) To classify incidents, select the relevant labels using the Labels dropdown. Administrators can configure the labels for each CFTR module under Admin Panel > Settings > Label.
To save the incident, click Save as Untriaged or Submit.
Save as Untriaged: Saves the incident in the untriaged state and any user with view permissions to the incident can update or delete the incident.
Submit: Saves the incident in an open state enabling you to respond to the incident.
An incident is created with a unique ID in Untriaged or Open status. For example, #INC123. To view other details of the incident, see View Details of an Incident.
View Details of an Incident
After you create an incident, you can view details such as the assigned user, labels, incident status, activity logs, and more of the incident in the top bar below the title of the incident.
To view the details of the incident, follow these steps:
Go to Menu > Incidents, and select an incident.
You can view the following incident information:
Resolution SLA: View the time limit within which you must close the incident.
Assigned Group: View the user group to which the incident is assigned. Only the users from the assigned group can edit or modify the incident
Assigned User: View the user to whom the incident is assigned. Only the assigned user can modify the incident details and move it to the next phase.
Labels: View the labels that are associated with the incident.
Click Show More to view the following:
Created: View the incident's creation date and time
Opened: View the date and time when the incident was moved to open status.
Updated: View the date and time when the incident was last updated.
Time to Detect: View the time taken to detect the incident as malicious.
Workflow: View the workflow associated with the incident.
ID: View the incident ID.
Status: View the status of the incident. For example, Open.
Activity Logs: View the activity logs of an incident to keep track of all the updates. This helps you trace the incident updates during incident retrospection. For more information, see Manage Activity Logs.
Process Threat Intel
Notice
This feature is only available in the New Layout for Incident Response.
While creating an incident, you can choose to automatically process threat intel from the text fields in Respond and send them to Intel Exchange for ingestion and enrichment.
Note
To enable Process Intel ensure that your admin has enabled it in Basic Configurations and Field Settings. For more information, see Configure General Settings and Configure Process Intel.
If you are updating the text fields in an incident, click Process Intel and Save to update and process intel.