Security Incident Response Management Flashcards

1
Q

How do you navigate to Analyst workspace?

A

Security Incident > Incidents (New UI)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
2
Q

what are the baseline two polling properties and what is the polling interval set to Out of Box?

A

sn_app_secops_ui.poller_interval.related_list

sn_app_secops_ui.poller_interval.search_action

Polling interval is set to 30 secs
often customer will set this to 10 secs to provide better response time when working on the analyst workspace.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
3
Q

Analyst Workspace Landing Page Configuration - what are the tags used for filters to display? There are 4.

A

SN_SI_Primary

SN_SI_Primary_OOB

SN_SI_Secondary

SN_SI_Secondary_OOB

SN_SI_Primary_OOB tag will cause the filter to appear in the drop down for all users

SN_SI_Primary tag will allow a user to personalize their filters with that option.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
4
Q

for an Analyst Workspace Landing page configuration; Who is the only persona allowed to create new filters?

A

Platform Admins

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
5
Q

What UI actions were recently added to the Analyst Workspace?

A

Able to add manual task in the playbook

Able to assign a response task in the playbook to a selected user

Able to send Email communications from the new UI while working on the incident (Default Template Email)

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
6
Q

UI actions can be viewed and news can be add by navigating to where?

A

security Incident > Analyst Workspace > Setup (New UI) > FormUI Actions

if adding new UI actions, there is a step to enable the actions described in Product docs.

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
7
Q

Additional Related lists added are ?

A

Alerts - Source of incident creation; Under ‘Incidents’ Category; Relationships definition exists on ‘em_alert’ table

Task - An action that user needs to perform to analyze, contain, eradicate, recover an incident; under ‘Investigation’ category

Reverse Whois - Domain lookups; Under ‘Observable’ > ‘ReverseWhois Domains’ category; Relationship definition exists on ‘sn_sec_whois_rvs_domain’ table.

Shodan - Observable enrichment with Service Banners (host name, device type, OS, Geo location and connected ISP)

RiskIQ - Observable enrichment and insight into the validity of websites by SSL Certificates lookup; Relationship definition exists on
‘sn_sec_riskiq_ssi_certificate_entry’ table

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
8
Q

Analyst Workspace Email templates are located where?

A

System Policy > Email > client templates

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
9
Q

Security Incidents can be assigned by which 3 ways?

A

Manually

Based on Flows

Auto-assignment

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
10
Q

What are the factors considered when auto-assigning Security Incidents?

A

Agent’s timezone
Agent’s Location
Agent’s Skills/Capabilities

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
11
Q

When analyzing incidents, groups may hand-off incidents to other groups with more appropriate knowledge, skillset, or areas of responsibility.
What application allows a quicker, better way to get the incident in front of the right person - fast?

A

Escalation groups

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How do you navigate to escalations?

A

Security Operations > Groups > Escalations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
12
Q

How do you navigate to escalations?

A

Security Operations > Groups > Escalations

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
13
Q

A user must have what role to configure Major Security Incident Management?

A

sn_msi.workspace_manager

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
14
Q

The report template section contain various subsections on how to construct the report subsections and its elements with

A

Branding: Add branding to your Report Templates

Template Scripts: use template scripts in your Report Template

Visualizations: use Visualizations in your report template

Lists: use reports list in your report template

How well did you know this?
1
Not at all
2
3
4
5
Perfectly
15
Q

Major Security Incident Management Benefits?

A

Propose a security incident to major Security incident Candidate to initiate a review process on the need to create a major security incident

Directly promote a security incident to a major security incident without the need for an additional review process

reject a security incident this proposed as a major security incident

Link a security incidents as child incidents to the major security incident (MSI) so that all security incidents can be worked.

16
Q

Major Security Incident Management Key features are?

A

Dedicated workspace for managing MSI specifically designed for the MSI manager user role

Organize response tasks across multiple child Security Incidents

Automate creation of collaboration folders and chat communications channels once a MSI is created, as well as archival as part of incident closure.

File explorer component to organize and track collection of artifact (files) related to the MSI via a MicroSoft Sharepoint integration

Hate channel manager and activity team components to manage communications across multiple security, IT, and functional groups via Microsoft teams integration.

17
Q

Major Security Incident Management Status Report capabilities are?

A

Create your own report template that can be applied to the MSIs and generate the customer status reports.

Add standard and customer Major Security Incident Response form fields to report templates that are dot-walkable. In addition, you can formate and configure the report.

Use template scripts to include the related lists data, date operations, and any other data that are not directly dot-walkable

Add branding to your sports such as header and footer image, header and footer text.

18
Q

Executive status reports that includes what?

A

A brief summary of the report

MSI duration column

Incident scope/impact

active team metrics

progress metrics

Timeline component

19
Q

Major Security Incident Management (MSIM) workspace to track and resolve major security incidents with Good Practice tips

A

View the trend charts and progress of MSI

Track and organize Microsoft Sharepoint files activity via the MSIM workspace.

Track and organize Microsoft Teams chat activity via the MSIM workspace

View and update incident details via the MSIM workspace

Filter collaboration activities in the MSIM workspace Activity stream.

20
Q

When using Security Tags what is the TLP: Green used for?

A

When information is useful for the awareness of all participating organizations as well as with peers within the broader community or sector

21
Q

What is TLP: Amber security tag used for ?

A

when information requires support to be effectively acted upon, yet carries risks to privacy, reputation, or operations if shared outside of the organizations involved

22
Q

When is TLP: Red security tags used for ?

A

When information cannot be effectively acted upon by additional parties, and could lead to impacts on party’s privacy, reputation, or operations if misused.

23
Q

What records are Security tags applied too?

A
Security incidents
Response task
Vulnerable items
observables
Indicators of Compromise (IoC)
Security Cases
24
Q

What are the default classification groups for Security tags?

A

Enrichment Blacklist/Whitelist used to categorize running process into Whitelist (known good and can be safely ignored) or Blacklist (know to be bad) Based on these lists, the platform only shows processes that are blacklisted or uncategorized

Metatag Provided as demo data - use it to create classification tags for security operations applications

Traffic Light Protocol (TLP) used to ensure that sensitive information is shared with the correct audience, using colors to indicate different degrees of sensitivity.

25
Q

What are the provided baselines default for SIR process definitions?

This defines the sequential stages in the lifecycle of a security incident

A

NIST stateful is the default process definition

NIST Open

SANS Open

26
Q

What is the difference between NIST open and NIST stateful?

A

NIST Stateful follows the NIST guidelines for the lifecycle step by step in order. NIST Open allows the user to move from each step freely.

27
Q

Where can you find the Security Incident Response Process Definitions and the one process that is in used?

A

All definitions can be found by navigating to Security Incident > Administration > Process Definitions

the definition that is in use is located at Security Incident > Administration > Process Selection