Recommended
More Related Content
Similar to Auto Analysis Single Finding Drill Down
Similar to Auto Analysis Single Finding Drill Down (20)
Recently uploaded
Recently uploaded (20)
Auto Analysis Single Finding Drill Down
- 1. Direct Link to Auto Analysis (All Sources Integration) Login to App Drill Down / Investigate on any one of the entities resulting in 360 View for that entity User Receives an email alert on a new incident User Receives an email alert on an existing incident moved to higher severity than before Auto Analysis page filtered with one single finding Drill Down / Investigate on any one of the entities User Receives an email alert on a finding Login to App Login to App Auto Analysis page filtered with one single finding Drill Down / Investigate on any one of the entities resulting in 360 View for that entity SOC Operations Personnel SOC Analyst
- 2. Terminologies • Finding – Detections done by any services or in-house which indicates some ‘abnormalities’ in the system. • Alert – Findings which analysts receives in an email. Its not an ‘noun’, it’s a ‘verb’ (an analysts is alerted on a finding). • Incident – groups of related finding(s) that together create an actionable possible-threat that you can investigate and resolve. • Signal – Data points algorithm consumes to arrive at a finding. Not all signals will result in a finding. Only higher fidelity signals will be converted into findings.
- 3. User Roles • SOC Operations Personnel • Has ‘admin’ level access, where he/she can see all-sources integrations as well as individual finding/incident. • SOC Analyst • Acts on an individual finding/incident notification.
- 4. Assumptions • Findings will not be notified by default, unless it’s configured to do so in which case, the user will be ‘alerted’. • Will be converting findings to incidents at the end of auto-analysis, by default (Can be 1 alert or a group of findings) • An incident can also be updated (if a new finding is part of a existing group/incident) unless an incident is closed. If closed, there will be associations with that one, but we will not be reopening it. • A group can have single finding. • 360 view is not for RCA. • Incident will by default enter a ticketing workflow. • Notifications can be initiated from EA system / Ticketing system (3rd party) based on tenant preference. • 360 view is a drill down for a specific entity.
- 5. Current Limitations • No configuring to User today to remove/add finding from/to an incident. • RCA is not modelled yet. • Email notification (EA initiated) is not available yet. • Guard duty (AWS) and EA Findings are the sources integrated into ‘auto- investigate’ workflow so far.