Security Incidents
Security Incidents represent actionable security concerns or threat(s) identified as a result of an investigation by our SOC analysts. The security incident contains information about the threat(s) and how best to mitigate or minimize the risk.
Security Incidents are reported to you following our Incident Management process and are associated with tickets within the Samurai MDR portal and downloadable in PDF format if desired.
Security Incident Notification
As per the Managed Detection and Response Service Description, notifications are provided by telephone or email based on severity:
- Critical severity: Phone / E-mail notifications.
- Low, Medium, High severity: E-mail notifications.
Information capture for notifications are completed during the MDR on-boarding process, however you can update contact details or telephone numbers by raising a ticket, during Threat Reviews or contact with your Customer Success Manager (CSM).
Viewing Security Incidents
To access Security Incidents, click on Security Incidents from the main menu.
Figure 1: Example Security Incidents
Security Incident Dashboard
Figure 2: Example dashboard
The Security Incidents dashboard panel displays summary information as:
- Awaiting feedback - Security Incidents awaiting your feedback and/or action
- Awaiting SOC - Security Incidents awaiting response from the SOC
- Closed - all closed Security Incidents
- Total - Total Security Incidents
Security Incident Fields
Find information related to all Security Incident fields (outlined red in Figure 1):
1. Reference
- Reference number of the Security Incident.
2. Severity
- All Security Incidents are categorized with a severity that describes the reported threat.
Severity | Description |
---|---|
Critical | Security Incidents with severe impact that threatens to have a significant adverse impact on the affected systems. These issues have a high probability of spreading or propagating, pose a threat to confidential or otherwise sensitive data or system. Critical security incidents require immediate attention for remediation or mitigation. |
High | Security incidents where if exploited, these threats could lead to compromise of the system and/or loss of information. Should be investigated in a timely fashion. |
Medium | Minor security incidents with low risk of spreading or propagation. Should be tracked and followed-up but generally medium threat severity incidents require no immediate action. |
Low | Observed security related event that could be an indicator of threat or interesting from other perspectives but no direct security incident or threat. |
- The (MDR) Security Analyst will make an informed decision in assigning the threat severity taking into consideration the specific situation and past experience.
- The assigned severity level will provide you an easy means to quickly assess how important a threat is, and the level of priority which should be assigned in addressing it. This will allow you to re-prioritize your actions so that you can start mitigating any threats quickly.
- Hopefully you will not experience any Critical security incidents!
3. State
- Each Security Incident has an assigned state which quickly allows you to determine who is responsible for follow up.
State | Description |
---|---|
Awaiting Feedback | Security Incident has been created or updated and is awaiting your feedback / response |
Awaiting SOC | Security Incident is currently awaiting feedback / input from the SOC. |
Closed | The Security Incident is Closed |
4. Title
- A “one-liner” that describes the content of the reported Security Incident. This field is used when listing tickets and within notifications.
5. Categories
- To make it easier to understand the threat and perform additional mitigations actions, we categorize a threat according to a tactic in the MITRE ATT&CK IT and OT framework.
For more details about MITRE ATT&CK tactics:
- IT: Enterprise Matrix
- OT: ICS Matrix
Reflecting the MITRE tactics, provides the possibility to use MITRE techniques to do additional threat hunting and mitigation.
6. Revision
- If a threat changes, emerges or new relevant info is available, a new revision of the Security Incident will be created. The revision number is reflected in this field.
7. Created
- Date and time of creation of the Security Incident in the format [yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).
8. Updated:
- Date and time of last update to the Security Incident in the format [yyyy:mm:dd], [hh:mm:ss] with time represented in Universal Time Coordinated (UTC).
What now?
Click on a Security Incident to view more detail and work directly within our SOC within the Situation Room.