Aminabad Call Girl Agent 9548273370 , Call Girls Service Lucknow
Auto Analysis Single Finding Drill Down
1. Direct Link to Auto Analysis (All Sources Integration)
Login to App
Drill Down / Investigate on any
one of the entities resulting in
360 View for that entity
User Receives an email
alert on a new incident
User Receives an email
alert on an existing
incident moved to higher
severity than before
Auto Analysis page
filtered with one single
finding
Drill Down /
Investigate on
any one of the
entities
User Receives an email
alert on a finding
Login to App
Login to App Auto Analysis page
filtered with one single
finding
Drill Down / Investigate on any
one of the entities resulting in
360 View for that entity
SOC Operations
Personnel
SOC Analyst
2. Terminologies
• Finding – Detections done by any services or in-house which indicates
some ‘abnormalities’ in the system.
• Alert – Findings which analysts receives in an email. Its not an ‘noun’,
it’s a ‘verb’ (an analysts is alerted on a finding).
• Incident – groups of related finding(s) that together create an
actionable possible-threat that you can investigate and resolve.
• Signal – Data points algorithm consumes to arrive at a finding. Not all
signals will result in a finding. Only higher fidelity signals will be
converted into findings.
3. User Roles
• SOC Operations Personnel
• Has ‘admin’ level access, where he/she can see all-sources integrations as well
as individual finding/incident.
• SOC Analyst
• Acts on an individual finding/incident notification.
4. Assumptions
• Findings will not be notified by default, unless it’s configured to do so in which
case, the user will be ‘alerted’.
• Will be converting findings to incidents at the end of auto-analysis, by default (Can
be 1 alert or a group of findings)
• An incident can also be updated (if a new finding is part of a existing
group/incident) unless an incident is closed. If closed, there will be associations
with that one, but we will not be reopening it.
• A group can have single finding.
• 360 view is not for RCA.
• Incident will by default enter a ticketing workflow.
• Notifications can be initiated from EA system / Ticketing system (3rd party) based
on tenant preference.
• 360 view is a drill down for a specific entity.
5. Current Limitations
• No configuring to User today to remove/add finding from/to an incident.
• RCA is not modelled yet.
• Email notification (EA initiated) is not available yet.
• Guard duty (AWS) and EA Findings are the sources integrated into ‘auto-
investigate’ workflow so far.