Security Incident Creation and Threat Intelligence Flashcards
Who is responsible for the alert rules used to automatically generate security incidents?
Security Admin
What application is activated with Security Incident Response Event Management Support plugin?
Event Management -
This allows the Security Incident Response System to receive security events from integrated third-party alert monitoring tools, such as Splunk, and to use the imported data to create security incidents
How are Security Incidents created from Events and Alerts?
Events are imported from alert monitoring tools, they are first processed by Event Management and grouped into Alerts.
What are the 5 categories in Guided Setup Assistant for Security Incident Response?
- System Administration
- Security Incident Response Administration
- Security Incident Email Settings
- Security Incident Playbook Settings
- Capability Configuration (Workflow Actions, sighting search, email block and delete)
what are the steps in Incident Response Lifecycle?
Preparation
Detection and Analysis
Containment, Eradication and Recovery
Post Incident Activity
What role is key in Analysis stage of Security Incident Response?
sn_si.analyst
Detection and Analysis stage of SIR consists of?
Detection originates from tools such as Firewalls, Intrusion Detection Systems, logs of emails and web gateways, but could also be raised through manual means.
Analysis is mainly a Manual process (security analysts working the incident) but could also be automated to perform some number-crunching and enrichment prior to manual decisions.
what are the 5 setup categories in SIR Setup Assistant and what roles are required?
5 setup categories
1. System Administration
2. Security Incident Response Adminstration
3. Security Incident Email Settings
4. Security Incident Playbook Settings
5. Capability Configurations (workflow actions, sighting search, email block and delete)
roles Admin and Security Incident Administrator [sn_si_admin]
Requests raised through Security Incident Catalog are all handled by what that drives actions?
Record Producers
Adding new items to the Security Incident Catalog requires what role?
sn_si.admin
Users will inevitably report security issues with Incident. A gent then could raise the incident to a Security Incident by using what button on the Incident form?
Create Security Incident
Agent that escalate to a Security Incident may not see information on the Security Incident due to Confidentiality policy.
What is Threat Intelligence? Definition
Process of collecting valuable or critical information to act or respond to an event
Threat Intelligence Consists of ________, ________, and _________
Threats, threat actors, and TTPS (Techniques, Tactics, and Procedures)
What are the Threat Intelligence Lifecycle?
Aggregate, Contextualize, Prioritize, Utilize, and Learn
What are TTPs (Tactics, Techniques, and Procedures)
Patterns of activities or methods associated with a specific threat actor or group of threat actors
Analysis of TTPs aids in counterintelligence and security operations by describing how threat actors perform attacks