Skip to main content

Introduction

One of the foundations of security incident response is understanding your environment’s data. It can be compared to putting together pieces of a puzzle. Data from different sources is correlated based on security engineering rules to generate incidents that need to be reviewed. The purpose of this article is to explain how data is streamed into ContraForce and how ContraForce can help take the guesswork out of incident response.

How do we go from Event to Incident?

Events to incidents flow The diagram above shows how events are grouped into alerts to then generate incidents. Lets look at what each stage means.

Events

Events include everything that has been observed on a system or environment. Event data can be thought of as audit logs. Events can be generated from a user, an application, or even a process. Many events simply generated from day to day activities or updates. Events are the foundation for detecting security incidents as the first steps an attacker may take will be captured.

Alerts

Alerts are a group of events that are related to a certain action or observation. Most data-sources have native rules and logic to generate alerts. The ContraForce engine automatically ingests and reviews alerts generated by connected data sources as they are streamed into ContraForce.

Incidents

Incidents are generated from security rules that have been created. If a number of alerts that match a security rule, an incident is generated. Additionally, rules can correlate alerts from multiple data sources to generate incidents. This allows users to manage security operations from a single dashboard with total visibility into all their connected data sources.

What do I need to pay attention to?

Between events, alerts, and incidents there is a lot of data. Of these three, Incidents are what need to be reviewed according to their assigned severity. Incident severity can be informational, low, medium, and high. Incidents with a high severity have the most potential for a business critical security event.

Simplified Incident Response

With ContraForce, all of your security data is in one place. Reduce the workload of managing security incidents and the guess work of how to eradicate threats with simple incident management guidance.