Security Incident Response Management Flashcards
How do you navigate to Analyst workspace?
Security Incident > Incidents (New UI)
what are the baseline two polling properties and what is the polling interval set to Out of Box?
sn_app_secops_ui.poller_interval.related_list
sn_app_secops_ui.poller_interval.search_action
Polling interval is set to 30 secs
often customer will set this to 10 secs to provide better response time when working on the analyst workspace.
Analyst Workspace Landing Page Configuration - what are the tags used for filters to display? There are 4.
SN_SI_Primary
SN_SI_Primary_OOB
SN_SI_Secondary
SN_SI_Secondary_OOB
SN_SI_Primary_OOB tag will cause the filter to appear in the drop down for all users
SN_SI_Primary tag will allow a user to personalize their filters with that option.
for an Analyst Workspace Landing page configuration; Who is the only persona allowed to create new filters?
Platform Admins
What UI actions were recently added to the Analyst Workspace?
Able to add manual task in the playbook
Able to assign a response task in the playbook to a selected user
Able to send Email communications from the new UI while working on the incident (Default Template Email)
UI actions can be viewed and news can be add by navigating to where?
security Incident > Analyst Workspace > Setup (New UI) > FormUI Actions
if adding new UI actions, there is a step to enable the actions described in Product docs.
Additional Related lists added are ?
Alerts - Source of incident creation; Under ‘Incidents’ Category; Relationships definition exists on ‘em_alert’ table
Task - An action that user needs to perform to analyze, contain, eradicate, recover an incident; under ‘Investigation’ category
Reverse Whois - Domain lookups; Under ‘Observable’ > ‘ReverseWhois Domains’ category; Relationship definition exists on ‘sn_sec_whois_rvs_domain’ table.
Shodan - Observable enrichment with Service Banners (host name, device type, OS, Geo location and connected ISP)
RiskIQ - Observable enrichment and insight into the validity of websites by SSL Certificates lookup; Relationship definition exists on
‘sn_sec_riskiq_ssi_certificate_entry’ table
Analyst Workspace Email templates are located where?
System Policy > Email > client templates
Security Incidents can be assigned by which 3 ways?
Manually
Based on Flows
Auto-assignment
What are the factors considered when auto-assigning Security Incidents?
Agent’s timezone
Agent’s Location
Agent’s Skills/Capabilities
When analyzing incidents, groups may hand-off incidents to other groups with more appropriate knowledge, skillset, or areas of responsibility.
What application allows a quicker, better way to get the incident in front of the right person - fast?
Escalation groups
How do you navigate to escalations?
Security Operations > Groups > Escalations
How do you navigate to escalations?
Security Operations > Groups > Escalations
A user must have what role to configure Major Security Incident Management?
sn_msi.workspace_manager
The report template section contain various subsections on how to construct the report subsections and its elements with
Branding: Add branding to your Report Templates
Template Scripts: use template scripts in your Report Template
Visualizations: use Visualizations in your report template
Lists: use reports list in your report template
Major Security Incident Management Benefits?
Propose a security incident to major Security incident Candidate to initiate a review process on the need to create a major security incident
Directly promote a security incident to a major security incident without the need for an additional review process
reject a security incident this proposed as a major security incident
Link a security incidents as child incidents to the major security incident (MSI) so that all security incidents can be worked.
Major Security Incident Management Key features are?
Dedicated workspace for managing MSI specifically designed for the MSI manager user role
Organize response tasks across multiple child Security Incidents
Automate creation of collaboration folders and chat communications channels once a MSI is created, as well as archival as part of incident closure.
File explorer component to organize and track collection of artifact (files) related to the MSI via a MicroSoft Sharepoint integration
Hate channel manager and activity team components to manage communications across multiple security, IT, and functional groups via Microsoft teams integration.
Major Security Incident Management Status Report capabilities are?
Create your own report template that can be applied to the MSIs and generate the customer status reports.
Add standard and customer Major Security Incident Response form fields to report templates that are dot-walkable. In addition, you can formate and configure the report.
Use template scripts to include the related lists data, date operations, and any other data that are not directly dot-walkable
Add branding to your sports such as header and footer image, header and footer text.
Executive status reports that includes what?
A brief summary of the report
MSI duration column
Incident scope/impact
active team metrics
progress metrics
Timeline component
Major Security Incident Management (MSIM) workspace to track and resolve major security incidents with Good Practice tips
View the trend charts and progress of MSI
Track and organize Microsoft Sharepoint files activity via the MSIM workspace.
Track and organize Microsoft Teams chat activity via the MSIM workspace
View and update incident details via the MSIM workspace
Filter collaboration activities in the MSIM workspace Activity stream.
When using Security Tags what is the TLP: Green used for?
When information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector
What is TLP: Amber security tag used for ?
when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved
When is TLP: Red security tags used for ?
When information cannot be effectively acted upon by additional parties, and could lead to impacts on party’s privacy, reputation, or operations if misused.
What records are Security tags applied too?
Security incidents Response task Vulnerable items observables Indicators of Compromise (IoC) Security Cases
What are the default classification groups for Security tags?
Enrichment Blacklist/Whitelist used to categorize running process into Whitelist (known good and can be safely ignored) or Blacklist (know to be bad) Based on these lists, the platform only shows processes that are blacklisted or uncategorized
Metatag Provided as demo data - use it to create classification tags for security operations applications
Traffic Light Protocol (TLP) used to ensure that sensitive information is shared with the correct audience, using colors to indicate different degrees of sensitivity.
What are the provided baselines default for SIR process definitions?
This defines the sequential stages in the lifecycle of a security incident
NIST stateful is the default process definition
NIST Open
SANS Open
What is the difference between NIST open and NIST stateful?
NIST Stateful follows the NIST guidelines for the lifecycle step by step in order. NIST Open allows the user to move from each step freely.
Where can you find the Security Incident Response Process Definitions and the one process that is in used?
All definitions can be found by navigating to Security Incident > Administration > Process Definitions
the definition that is in use is located at Security Incident > Administration > Process Selection
