NCSC - National Cyber Security Center # Basic Incident Management Definitions - Alert - generated as a result of data collection and processing in SIEM - Event - Any observable occurrence in a system or network - Incident - violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices - True Positive - if the situation to be detected, and the triggered alert situation are the same - False Positive - a false alarm # Incident Management Systems (IMS) An IMS is where SOC teams conduct investigation processes and record the actions taken when an incident occurs. ## How IMS Works - Data entry must first be provided. - Typically from a SIEM or another security product. - Ticket is created Enriched data via integrations with Threat Intelligence/SOAR help with responding quickly. If there is no threat intelligence platform integration, manual query from open-source platform (virustotal) is required. Many SOAR can integrate with individual security products. # Case/Alert Naming With a naming convention, analysts can quickly access alarm details they want to reach while examining past records - Alert Category - Event Source - Description # Playbooks Playbooks are workflows prepared for effective and consistent analysis of alerts created on SIEM. Important because SOC Analysts may not always know exactly what to do when handling alerts. Can carry out investigation process step by step thanks to instructions in playbooks. # SOC Analyst Responsibilities Main task is to detect threats to your organization. Analyze the alerts created in SIEM. Alerts created do not always indicate an actual incident. Most are false positives, need to provide constant feedback to the teams creating SIEM rules. - to do this effectively, need to dig into details to understand whether an alert is a false positive Follow the playbooks