Incident Response Tips



  • Official comment
    Oliver Pinson-Roxburgh

    This is great. I would also suggest using aggregation around the incident to help focus the investigation using the Log Manager Omnibox. It really helps summarise the logs to help spot anomalies.

    This knowledge base article on Omnibox should help you get started if you aren't familiar with its functionality: Log Manager Omnibox Log Search

  • Avatar
    Paul Le Page

    Thanks for sharing this. I find it interesting that you are looking so closely at events and that you're using event alert rules. There is absolutely nothing wrong with this approach, but as our primary output to customers is Incidents, this is what I had expected most customers to focus on.

    Events are the raw output from our IDS sensors - every time network traffic is seen which matches a signature (of which we have tens of thousands), an event is generated. Events tend to be high volume and low fidelity - so we leverage advanced analytics to find the "needle in the haystack" - although often it is more like trying to find a needle in a stack of other needles! You can read more about some of the analytics techniques we use in this blog post:

    Our SOC analysts and security researchers also use the raw event data to drive improvements to our detection capabilities.

    The output from analytics is an Incident - this is the "needle" that we've found, and it will be comprised of (usually) multiple events and/or log messages. Incidents are escalated to you by our Security Operations Centre by phone or email depending on the severity, which indicates the seriousness of the threat and the risk to your environment. 

    You can read more about incident severities and how we handle them in this article:

    My general advice to clients is to focus on Critical and High severity incidents first - these indicate a successful attack or compromise against your environment, and require immediate attention. Our SOC analysts will work closely with you during the process to ensure you have all the information you need to address the issue quickly and effectively.

    Medium and Low severity incidents represent unsuccessful attacks - we keep an eye on these, watching out for further activity from the attacker, and will increase the severity if we see the attacker escalating. It is a good idea to review the Medium and Low severity incidents on a regular basis so that you are aware of what is being attempted against your environment, and if any trends or patterns are occurring. Our reporting (available in the console) can help with this, allowing you to decide if there is any action you wish to take. This could take the form of blocking IP addresses, closing unneeded ports, or to inform whitelisting or tuning request.

    We would be very interested to hear how other customers are consuming data from us, and the processes that you follow for incident response - if you would like to share, please add your comments below.




Please sign in to leave a comment.