This playbook explains what to do if you see an odd spike in even activity. It provides an overview of the steps in flowchart form, as well as a detailed list of procedures to walk you through the process in the GRID from beginning to end.
- These are just a few ways to clear your inbox, the number of options is almost limitless!
- The TRAC team, they perform very similar plays on your network for daily monitoring.
The Play: A high-level flow chart of the procedure
The flowchart below shows the play to help your company successfully analyze suspicious activity displayed on your dashboard.
STEP 1: Go to the Events Page
If you see a suspicious spike on the Events portion of your DefenseStorm Dashboard, select the spike to go to the Events page to determine cause.
STEP 2: Display Only Associated Events
Once you are in the Events page, move the bars within the graph to pinpoint the spike that caused suspicion.
STEP 3: Determine Cause
After you have selected your area to investigate, drill down with filter options to find which application shows the spike. In the screenshot below, CiscoASA is selected as a possible cause, but as you can see, the spike does not display in the graph. Therefore, CiscoASA is not the cause.
The screenshot below is when Malaysia is selected. This clearly displays the suspicious spike and is already rated as a high possibility for threat by the system.
STEP 4: Individual Event Information
To help investigate your system for other related events and alerts, select an individual event from the displayed list. For example, in the screenshot below you can see that the files were sent over using http, and that several files were specifically called out as being high potential threats. This information will be helpful when sorting through your Alert Inbox.
STEP 5: Create an Incident
After you have done a bit of research into an event, select a few events and create an incident.
Fill out the New Incident window as desired, and select Create. All the selected events are now associated with this incident.
STEP 6: Look for Related Alerts
After you have created the incident, go to your Alert Inbox to see if any alerts seem to be related. Remember in STEP 4: Individual Event Information, you looked at the details of an event, here is when it helps. When scrolling through your alert inbox, look for alerts that have to do with the details of your event. In this example, we look for http and the specific files listed.In the screenshot below, we did find alerts associated with HTTP, and selected that group of alerts. This alert has a count of 1015. Select the count number to determine if this alert grouping is indeed related to your incident.
Once you have clicked on the count number, it takes you to the Events page; but only events for the selected alert are displayed. The screenshot below shows that on page 4 of events, we found the event that is related to our incident from the suspicious spike.
Selecting the event gives you more details so you can verify the event has the same source as the one causing your spike.
STEP 7: Escalate Related Alert
If you find an alert that is related, as we did in the previous step, escalate that alert grouping to your incident. To do this, simply return to your Alert Inbox, select the Alert group, and escalate it to the incident. Once you escalate the alert to your incident, all alerts associated with the alert group, in this case (9), are also associated with the incident.
STEP 8: View Incident
After events and alerts have been attached to your incident, go to the Incidents page and view the incident.
Step 9: Assign the Incident
Now that you have created your incident and added relevant alerts, it’s time to edit the incident. Edit the incident in the following ways:
- Change your ticket state to Analysis.
- Assign TRAC as the incident owner to send them the incident.
You can also add watchers to your incident. Watchers cannot make changes, but are made aware of what is going on.
DefenseStorm Console Tip: All events and alerts that are associated with an Incident are kept forever as part of incident resolution statistics. So you can always come back to a certain incident and report on it.
STEP 10: Add-Ons
The incidents page also allows you to add attachments, links, and policies to your incident to provide any desired additional information.