Tickets

This article provides definitions, explanations, and recommendations for how to best utilize all the features available on the Tickets page including a use case walk-through. The features include Incidents, Task Schedules, Tasks, CSV downloads, bulk deletion, due dates,  determining responsibility, and much more. 


IncidentsTask SchedulesTasks
DefinitionNetwork activity that requires additional research and possible action.Reccurring actions that can be assigned to a responsible party.One-time action that can be assigned to a responsible party.
Generated bySystem, an alert, ThreatMatch, PatternScout, or userUserSystem, User
ExampleSpike in Logon and Logoff Events for User: ExampleUserNameMonthly Core Systems Report Review1 instance of the Monthly Core Systems Report Review


Incidents

The default Incidents page shows all currently open incidents. This list can be modified by filtering or searching to create a specified list of incidents that can be download to a CSV for your records.  An incident can be created directly from the Events page to grab suspicious activity, or from within the Tickets > Incidents page.  There are several Incident States that explain what stage of the remediation process the incident is in; see the list below for descriptions. 

Incident States
  • Triage - Incident requires further analysis to determine next steps. This is the default state when an incident is created.
  • Analysis - The incident has been escalated and is undergoing further analysis.
  • Remediation - Negative impacts from the incident have been determined and efforts are underway to resolve any residual damage as well as remedy the root cause.
  • Resolved -  There is still action required (updating or documenting), but the issue has been discovered.
  • Closed - No further action needs to be taken.

Creating an Incident from the Tickets page

  1.  Tickets page > Incidents tab (default) > + blue plus sign on the top right. 
  2. Give your incident a title and an owner. (If you want TRAC to review, select TRAC as the owner.)
  3. Update the severity level to Low, Medium, or High based on your concern. (Note: high indicates a 2-hour response, medium is 12 hours, low/none is next business day.)
  4. Add any Watchers and select your desired notification frequency. 
    1. All notifications 
    2. Only when opened and closed
  5. Enter Due Date.
  6. Description should include the following,
    1. Who:  host or ip address experiencing unusual activity
    2. What: What happened to make you believe this is unusual.
    3. When: What time did this occur, has it stopped, is it ongoing.
    4. Optional Links: Links to any reference documentation.
  7. Select Create to save the incident. Once an incident is created, it is automatically placed in the Triage state and the owners/watchers are notified via email.  For incidents and tasks rated as medium and high, please call the OpsGenie number (251-333-6557) to reach the on-call engineer and inform them of the situation.


Creating an Incident through the Events page 

If a search query reveals events that require investigation, create a new incident directly from the Events page to ensure events are captured.

  1. Select the clipboard icon.  A drop-down displays with recently viewed incidents, and at the very bottom, the option to create a New Incident.
  2. Once you select New Incident, the Create Incident window displays. Fill out fields as described above, and select Create.


Updating an Incident

  1. Tickets > Incidents > click an incident to open for updates. 
  2. Add attachments, links, policies, incident state, owner, or severity.
    1. Links are connections to other incidents.
    2. Files allow uploading of any files that were associated with the investigation.
  3. Add any Watchers and select your desired notification frequency. 
    1. All notifications 
    2. Only when opened and closed
  4. Assign a policy to the incident for tracking and reporting purposes.
  5. Select the pencil icon to edit the description or add a new note.  
  6. To view a summary of all actions, select the Activity Log icon on the left.


Filtered CSV Export of Incidents

You can create a filtered CSV export to view a more manageable list of incidents. Follow the steps below.

  1. Go to Tickets > Incidents (default page).
  2. Filter down your incidents as desired by State, Due Date, Severity, Owner, Created By, Created, or a Title Search.
  3. Select the cloud icon to generate your CSV.
  4. Save as an Excel sheet and format as desired.


Closing Multiple Incidents

  1. Go to Tickets > Incidents (default page)
  2. Select checkboxes of incidents you want to close
  3. Select the box icon from the top right


Tasks

Creating a task reminds you of something that needs to be done. For example: within three days, Bob needs to review the report on failed logins that  generated a task today.  The Task homepage displays all open tasks by default, but you can filter, add, and/or update. For compliance purposes, Tasks cannot be deleted, but they can be set to a Closed or Invalid state. 

How to create a Task

  1. Select Tickets > Tasks > the blue + box on the far right.
  2. Fill out the following fields
    1. Title: Subject of the task (Review failed logins report generated on 4/2/2018)
    2. Owner: Person responsible for completing the task 
    3. Add  Watchers (person assigning the task to be completed) and select your desired notification frequency. 
      1. All notifications 
      2. Only when opened and closed
    4. Due Date: When the task needs to be completed by
    5. Description: What the task is. (Review the failed logins report generated yesterday, 4/2/2018. Looked for any user accounts with suspiciously high numbers, and after-hours attempts.) Make a note here with your findings once its completed.


Task Schedules

Creating a task schedule allows you to schedule something that needs to be done on a reoccurring basis and determine a due date. For example: every week, Sally needs to review the report(s) generated on new user accounts created, and she has 5 days to complete.  The Task Schedule homepage displays all schedules by default, but you can filter, add, and/or update schedules. 

When creating a task schedule, a new task is created and displayed in the Task page when the scheduled timeframe is met. For example, if you create a task schedule for every two weeks, a new task is generated in the Task tab every two weeks. The information put into the task schedule is copied over to the Task tab, so the more information you put in your schedule, the more information you'll have for your task. 

Task Schedule ViewTask View


How to create a task schedule

  1. Tickets > Task Schedule > the blue + box on the far right.
  2. Fill out the following fields
    1. Name: Descriptive name. For example, 'Quarterly Information Security Report to Board'.
    2. Owner: Person responsible for completing the task(s)
    3. Description: What you want done
    4. Add Watchers (person making sure its been completed) and select your desired notification frequency. 
      1. All notifications 
      2. Only when opened and closed
    5. Query: Search query that monitors related events
    6. Schedule: How often should tasks be generated?
    7. Due Date: How many days after the task runs does the responsible party have to complete it?
    8. Policies:  If creating this after leaving the Policy page, the current statement is added by default. You can add additional policies if desired.
    9. Tags: Terms you would use to search and/or organize this schedule by.

CSV Export of Task Schedules

To assist with compliance records, you can create a CSV export to view all your task schedules in a single spreadsheet.  Follow the steps below.

  1. Go to Tickets > Task Schedule (default page).
  2. Click the cloud icon to download.

Use Case for Task Schedules: User account created and enabled

Within the description on the Task Schedule be sure to include how the Task is supposed to be completed, documented, what specific things need to be reviewed, etc. 

Example Scenario 

Sara, a manager, requires Justin to verify that all user accounts created within a month are legitimate.  Sara creates a task for Justin to do the verification and requires him to finish the task in 4 days.  

How the fields would be filled out when creating the task schedule

NameUser Account Created 
OwnerJustin (employee doing the task)
DescriptionVerify that all user accounts created were legitimate and necessary accounts. Verify they were created by authorized users. 
WatcherSara (person who created task schedule)
Queryapp_name:(“microsoft-windows-security-auditing” OR “DefenseStorm Agent”) AND (event_id:4720 OR event_id:624 OR event_id:4722 OR event_id:626) AND NOT category:(“alert”)
ScheduleEvery month, on the 1st
Due Date4 days
PoliciesInternal policy to verify user accounts created.
TagsUser Account created, User Account enabled