This article covers the basics of how to use the ContraForce Incidents page.
The Incidents page expands on the much of the data shown on the Command Page. This page focuses exclusively on the incidents being generated from the ContraForce platform. For the operator, this page is where investigations will originate from.
This page is especially useful for teams with multiple analysts overseeing an environment.
|Timeframe Dropdown||The Timeframe Dropdown is visible on the top right portion of the Command Page. Here you have options to select 24 hours, 48 hours, 7 days, 14 days, and 28 days.|
Incidents by Source
|Incidents by Source will show the count of incidents for a given data source. If one data source is consistently generating more incidents, special attention should be given to that source. Again, a trend line is shown to compare against the previous time period.|
|Incidents by Mitre Tactic||Incidents by MITRE Tactic correlates incidents against the MITRE ATT&CK framework. This information can be very useful to the operator as it can point towards specific techniques being used against the environment. This can also help in determining what stage the attack falls under.|
|Incidents by Severity||Incidents by Severity is a graphical representation of how many incidents have been classified as low, medium, or high for a given timeframe. Hovering over any of the columns shows the total of incidents classified as that level of severity.|
The information shown here on the Open Incidents graph is the same as the information shown on the Command Page.
Open Incidents allows the user to get a sense of the total amount of incidents generated in their environment within the selected timeframe. The time indicators on the x-axis will change depending on the timeframe selected. When hovering over any of the columns, a summary will appear showing the amount of New, Active, and Closed incidents.
|MTTR Mean Time to Resolve||
This information shows the mean response time for closing incidents. It is a good indication of how well you, or a team, are doing at managing your environment.
This information is also very useful for partners monitoring multiple environments.
|Assignee List||For teams with multiple analysts handling incidents, this is very useful for managing workloads. Teams can easily see who is working on specific incidents which results in better incident management.|
|Incident Update Countdown||The Incident Update Countdown is used when service level agreements are in place. This can be used by a team to make sure that incidents are being handled within the agreed upon timeframe.|
|Playbooks Ran||Playbooks Ran shows the automation (playbooks) that is responding automatically to incidents.|
|All Incidents||All Incidents shows the queue of incidents. It can be toggled to show all incidents that have been generated or the incidents that have the status of open. From this table, the assignee and status of an incident can be changed. There is also a search function to find specific incidents.|