14.5. Incident Details

Clicking the Show button will take you to a new tab (with the name formed of the ID and the entered incident name) showing details about the selected incident. In this tab, you can also Edit and Comment on the incident, Assign a different person to the incident, and change the Workflow state. In addition to the incident details displayed in the Incidents log tab (see more in the Incidents Log section), you can view the following information.

The Triggered alerts section shows the triggered analytics rule alerts added to the incident. For more details, see the section Triggered Alerts. To add triggered alerts to the incident, click Add to incident and select the triggered alerts to be added to the incident. To view the details for a triggered alert for analytics rule, select it and click Show details. You can also view triggered alert details by clicking Show. To remove the triggered alert for analytics rule from the incident, click Remove from incident. By clicking Export as CSV, you can save the list of triggered analytics rule alerts added to incidents in a .csv file for subsequent analysis.

The Logs section displays detailed information about events from all logs (for more details on log records, see the section Analytics Search). To add events to the incident, click Add to incident select the events to be added. To remove unneeded events, use the Remove from incident button.

The Observables section displays the observation results for the objects specified in the settings. Observables are needed to simplify the analysis of a cybersecurity incident, make the right decision, and reduce the time spent on the incident. The relevant information is obtained with the help of enrichment services (for more on these, see the section External Enrichment Services). To view the detailed information provided by an enrichment service, open the enrichment service settings by clicking on the service.

To create an observable, click Add and provide the settings shown in the table below.

Name

Description

Observable type

Select one of the following observable types:

  • Autonomous system: a system of IP networks and routers under unified management.

  • Domain: the name of an Internet website.

  • File: a file to collect information about.

  • File name: the name of a file to collect information about.

  • FQDN: a fully qualified domain name.

  • Hash: a hash of some file, e.g. a file added to the incident.

  • Host name: the label of a device connected to a computer network and used for device identification.

  • IP: a unique address identifying the device in a computer network.

  • Mail: an email address.

  • Mail subject: the contents of the email's subject field.

  • Registry: a Microsoft Windows registry key is a directory where the settings and parameters of the operating system are stored.

  • URI path: a character sequence identifying an abstract or physical resource.

  • URL: the individual Internet address of the resource.

  • Useragent: an alphanumeric string identifying the software that sends a request to the server and at the same time requests access to a website.

  • Other.

Value

Specify the object to deal with, such as an IP address, domain, etc.

Attack type

Select one of the following attack types:

  • BotNet: a network of infected computers controlled remotely by malicious actors.

  • Phishing: a type of Internet scam that aims to get access to confidential user data such as logins and passwords.

  • Malware: any software that attempts to infect a computer or mobile device.

  • DDoS: a method of bringing a website down by sending numerous requests to it that overwhelm the network.

  • Traffic hijack: malicious redirection of traffic.

  • Network scanning: scanning network nodes for vulnerabilities.

  • Brute force: a method of cracking user accounts by guessing their passwords.

  • Compromised: an actual or suspected case of unauthorized access to protected information.

  • Spam: mass distribution of unsolicited email messages of commercial, political, or other nature using specialized software.

  • Other.

TLP

A TLP (Traffic Light Protocol) marking of confidential information. The following TLP marks are possible:

  • RED: the information is highly confidential.

  • AMBER: the information can be shared within the organization when necessary.

  • GREEN: the information can be widely distributed within a certain community.

  • WHITE: the information can be distributed freely and does not infringe copyright.

Is IoC?

Set this checkbox if the object is a potential indicator of compromise.

Services

The list of services used to obtain additional information on the observable objects. Displayed automatically after selecting the observable type. Available in the General settings --> Libraries --> External enrichment services section. For more details, see the section External Enrichment Services.

Updated

The date and time when the service was last updated.

To edit or remove observables, use the Edit or Remove buttons, respectively.

In the Activity section, you can view the comments for the incident and its change history (adding watchers, changing the workflow state, etc.).

To generate a report on the incident, click Generate report and select one of the following:

  • Incident report: a custom report that can be generated in English or Russian using PDF or HTML formats. You can use the templates listed in the Logs and reports --> Incident reports --> Incident report rules section.

  • GOSSOPKA report: uses the GOSSOPKA incident info template that conforms to the requirements for GosSOPKA reports. The report can be simply downloaded (using the Generate file button) or sent directly in the desired format to the specified GosSOPKA system account (using the Send via net button). To send the report automatically, the user must specify their GosSOPKA account and provide a secure data link. For more details, see the section Sending Cybersecurity Incident Reports to GosSOPKA.