Security Incident Response Management Flashcards
How do you navigate to Analyst workspace?
Security Incident > Incidents (New UI)
what are the baseline two polling properties and what is the polling interval set to Out of Box?
sn_app_secops_ui.poller_interval.related_list
sn_app_secops_ui.poller_interval.search_action
Polling interval is set to 30 secs
often customer will set this to 10 secs to provide better response time when working on the analyst workspace.
Analyst Workspace Landing Page Configuration - what are the tags used for filters to display? There are 4.
SN_SI_Primary
SN_SI_Primary_OOB
SN_SI_Secondary
SN_SI_Secondary_OOB
SN_SI_Primary_OOB tag will cause the filter to appear in the drop down for all users
SN_SI_Primary tag will allow a user to personalize their filters with that option.
for an Analyst Workspace Landing page configuration; Who is the only persona allowed to create new filters?
Platform Admins
What UI actions were recently added to the Analyst Workspace?
Able to add manual task in the playbook
Able to assign a response task in the playbook to a selected user
Able to send Email communications from the new UI while working on the incident (Default Template Email)
UI actions can be viewed and news can be add by navigating to where?
security Incident > Analyst Workspace > Setup (New UI) > FormUI Actions
if adding new UI actions, there is a step to enable the actions described in Product docs.
Additional Related lists added are ?
Alerts - Source of incident creation; Under ‘Incidents’ Category; Relationships definition exists on ‘em_alert’ table
Task - An action that user needs to perform to analyze, contain, eradicate, recover an incident; under ‘Investigation’ category
Reverse Whois - Domain lookups; Under ‘Observable’ > ‘ReverseWhois Domains’ category; Relationship definition exists on ‘sn_sec_whois_rvs_domain’ table.
Shodan - Observable enrichment with Service Banners (host name, device type, OS, Geo location and connected ISP)
RiskIQ - Observable enrichment and insight into the validity of websites by SSL Certificates lookup; Relationship definition exists on
‘sn_sec_riskiq_ssi_certificate_entry’ table
Analyst Workspace Email templates are located where?
System Policy > Email > client templates
Security Incidents can be assigned by which 3 ways?
Manually
Based on Flows
Auto-assignment
What are the factors considered when auto-assigning Security Incidents?
Agent’s timezone
Agent’s Location
Agent’s Skills/Capabilities
When analyzing incidents, groups may hand-off incidents to other groups with more appropriate knowledge, skillset, or areas of responsibility.
What application allows a quicker, better way to get the incident in front of the right person - fast?
Escalation groups
How do you navigate to escalations?
Security Operations > Groups > Escalations
How do you navigate to escalations?
Security Operations > Groups > Escalations
A user must have what role to configure Major Security Incident Management?
sn_msi.workspace_manager
The report template section contain various subsections on how to construct the report subsections and its elements with
Branding: Add branding to your Report Templates
Template Scripts: use template scripts in your Report Template
Visualizations: use Visualizations in your report template
Lists: use reports list in your report template