Understanding Events, Alerts, and Incidents

ContraForce ingests data from over 100 available data sources into three classes: events, alerts, and incidents. Each class corresponds with the other and understanding the relationship between each will help you get the most out of ContraForce.

Introduction

One of the foundations of security incident response is understanding your environment's data. It can be compared to putting together pieces of a puzzle. Data from different sources is correlated based on security engineering rules to generate incidents that need to be reviewed. The purpose of this article is to explain how data is streamed into ContraForce. and how ContraForce can help take the guess work out of incident response.

How do we go from Event to Incident?

MicrosoftTeams-image (31) The diagram above shows how events are grouped into alerts to then generate incidents. Lets look at what each stage means.

Events

Events include everything that has been observed on a system or environment. Event data can be thought of as audit logs. Events can be generated from a user, an application, or even a process. Many events simply generated from day to day activities or updates. Events are the foundation for detecting security incidents as the first steps an attacker may take will be captured. 

Alerts

Alerts are a group of events that are related to a certain action or observation. Most data-sources have native rules and logic to generate alerts. The ContraForce engine automatically ingests and reviews alerts generated by connected data sources as they are streamed into ContraForce.

Incidents

Incidents are generated from security rules that have been created by the ContraForce Security Engineering team. If a number of alerts that match a security rule, an incident is generated. Additionally, rules can correlate alerts from multiple data sources to generate incidents. This allows users to manage security operations from a single dashboard with total visibility into all their connected data sources.  

What do I need to pay attention to? 

Between events, alerts, and incidents there is a lot of data. Of these three, Incidents are what need to be reviewed according to their assigned severity. Incident severity can be informational, low, medium, and high. Incidents with a high severity have the most potential for a business critical security event. 

Where can I review alerts and incidents in ContraForce? 

Incidents can be reviewed on the Incidents page. Additionally, high severity incidents can be reviewed on the Command page within the Needs Attention card. For more information around an incident, click the title of the incident then Timeline and/or Investigate.

 

ContraForce Command Page - Needs AttentionContraForce Command Page

 

Screenshot (144)ContraForce Incidents Page

Screenshot (143)

ContraForce Incident Details

Simplified Incident Response

With ContraForce, all of your security data is in one place. Reduce the workload of managing security incidents and the guess work of how to eradicate threats with simple incident management guidance.