Security Incident Response Management

Question 1

How do you navigate to Analyst workspace?

Answer 1

Security Incident > Incidents (New UI)

Question 2

what are the baseline two polling properties and what is the polling interval set to Out of Box?

Answer 2

sn_app_secops_ui.poller_interval.related_list

sn_app_secops_ui.poller_interval.search_action

Polling interval is set to 30 secs
often customer will set this to 10 secs to provide better response time when working on the analyst workspace.

Question 3

Analyst Workspace Landing Page Configuration - what are the tags used for filters to display? There are 4.

Answer 3

SN_SI_Primary

SN_SI_Primary_OOB

SN_SI_Secondary

SN_SI_Secondary_OOB

SN_SI_Primary_OOB tag will cause the filter to appear in the drop down for all users

SN_SI_Primary tag will allow a user to personalize their filters with that option.

Question 4

for an Analyst Workspace Landing page configuration; Who is the only persona allowed to create new filters?

Answer 4

Platform Admins

Question 5

What UI actions were recently added to the Analyst Workspace?

Answer 5

Able to add manual task in the playbook

Able to assign a response task in the playbook to a selected user

Able to send Email communications from the new UI while working on the incident (Default Template Email)

Question 6

UI actions can be viewed and news can be add by navigating to where?

Answer 6

security Incident > Analyst Workspace > Setup (New UI) > FormUI Actions

if adding new UI actions, there is a step to enable the actions described in Product docs.

Question 7

Additional Related lists added are ?

Answer 7

Alerts - Source of incident creation; Under ‘Incidents’ Category; Relationships definition exists on ‘em_alert’ table

Task - An action that user needs to perform to analyze, contain, eradicate, recover an incident; under ‘Investigation’ category

Reverse Whois - Domain lookups; Under ‘Observable’ > ‘ReverseWhois Domains’ category; Relationship definition exists on ‘sn_sec_whois_rvs_domain’ table.

Shodan - Observable enrichment with Service Banners (host name, device type, OS, Geo location and connected ISP)

RiskIQ - Observable enrichment and insight into the validity of websites by SSL Certificates lookup; Relationship definition exists on
‘sn_sec_riskiq_ssi_certificate_entry’ table

Question 8

Analyst Workspace Email templates are located where?

Answer 8

System Policy > Email > client templates

Question 9

Security Incidents can be assigned by which 3 ways?

Answer 9

Manually

Based on Flows

Auto-assignment

Question 10

What are the factors considered when auto-assigning Security Incidents?

Answer 10

Agent’s timezone
Agent’s Location
Agent’s Skills/Capabilities

Question 11

When analyzing incidents, groups may hand-off incidents to other groups with more appropriate knowledge, skillset, or areas of responsibility.
What application allows a quicker, better way to get the incident in front of the right person - fast?

Answer 11

Escalation groups

Question 12

How do you navigate to escalations?

Answer 12

Security Operations > Groups > Escalations

Question 12

How do you navigate to escalations?

Answer 12

Security Operations > Groups > Escalations

Question 13

A user must have what role to configure Major Security Incident Management?

Answer 13

sn_msi.workspace_manager

Question 14

The report template section contain various subsections on how to construct the report subsections and its elements with

Answer 14

Branding: Add branding to your Report Templates

Template Scripts: use template scripts in your Report Template

Visualizations: use Visualizations in your report template

Lists: use reports list in your report template

Question 15

Major Security Incident Management Benefits?

Answer 15

Propose a security incident to major Security incident Candidate to initiate a review process on the need to create a major security incident

Directly promote a security incident to a major security incident without the need for an additional review process

reject a security incident this proposed as a major security incident

Link a security incidents as child incidents to the major security incident (MSI) so that all security incidents can be worked.

Question 16

Major Security Incident Management Key features are?

Answer 16

Dedicated workspace for managing MSI specifically designed for the MSI manager user role

Organize response tasks across multiple child Security Incidents

Automate creation of collaboration folders and chat communications channels once a MSI is created, as well as archival as part of incident closure.

File explorer component to organize and track collection of artifact (files) related to the MSI via a MicroSoft Sharepoint integration

Hate channel manager and activity team components to manage communications across multiple security, IT, and functional groups via Microsoft teams integration.

Question 17

Major Security Incident Management Status Report capabilities are?

Answer 17

Create your own report template that can be applied to the MSIs and generate the customer status reports.

Add standard and customer Major Security Incident Response form fields to report templates that are dot-walkable. In addition, you can formate and configure the report.

Use template scripts to include the related lists data, date operations, and any other data that are not directly dot-walkable

Add branding to your sports such as header and footer image, header and footer text.

Question 18

Executive status reports that includes what?

Answer 18

A brief summary of the report

MSI duration column

Incident scope/impact

active team metrics

progress metrics

Timeline component

Question 19

Major Security Incident Management (MSIM) workspace to track and resolve major security incidents with Good Practice tips

Answer 19

View the trend charts and progress of MSI

Track and organize Microsoft Sharepoint files activity via the MSIM workspace.

Track and organize Microsoft Teams chat activity via the MSIM workspace

View and update incident details via the MSIM workspace

Filter collaboration activities in the MSIM workspace Activity stream.

Question 20

When using Security Tags what is the TLP: Green used for?

Answer 20

When information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector

Question 21

What is TLP: Amber security tag used for ?

Answer 21

when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved

Question 22

When is TLP: Red security tags used for ?

Answer 22

When information cannot be effectively acted upon by additional parties, and could lead to impacts on party’s privacy, reputation, or operations if misused.

Question 23

What records are Security tags applied too?

Answer 23

Security incidents
Response task
Vulnerable items
observables
Indicators of Compromise (IoC)
Security Cases

Question 24

What are the default classification groups for Security tags?

Answer 24

Enrichment Blacklist/Whitelist used to categorize running process into Whitelist (known good and can be safely ignored) or Blacklist (know to be bad) Based on these lists, the platform only shows processes that are blacklisted or uncategorized

Metatag Provided as demo data - use it to create classification tags for security operations applications

Traffic Light Protocol (TLP) used to ensure that sensitive information is shared with the correct audience, using colors to indicate different degrees of sensitivity.

Question 25

What are the provided baselines default for SIR process definitions?

This defines the sequential stages in the lifecycle of a security incident

Answer 25

NIST stateful is the default process definition

NIST Open

SANS Open

Question 26

What is the difference between NIST open and NIST stateful?

Answer 26

NIST Stateful follows the NIST guidelines for the lifecycle step by step in order. NIST Open allows the user to move from each step freely.

Question 27

Where can you find the Security Incident Response Process Definitions and the one process that is in used?

Answer 27

All definitions can be found by navigating to Security Incident > Administration > Process Definitions

the definition that is in use is located at Security Incident > Administration > Process Selection