Tickets

The Tickets page is used to track Incidents, Tasks, and Task Schedules. Incidents track network activity that requires additional research and possible action. Incidents are either generated by the system, through Alerts, ThreatMatch, PatternScout, or user. Tasks and Task Schedules are used for reminders to review log data, or provide compliance to auditors. Tasks are one-time actions that can be assigned to a responsible party. Task Schedules are reoccurring actions that can also be assigned to a responsible party.  Think of a Task Schedule as a recurring meeting on your calendar, and the Task, as the actual calendar event for one of those meetings.

The Tickets page defaults to the Incidents tab which displays all open Incidents.  Other tab options include Tasks, and Task Schedules.  


Incidents

The default Incidents page shows all currently open incidents. This list can be modified by filtering or searching to create a specified list of Incidents that can then be download to a CSV for your records.  

Creating an Incident from the Tickets page

Incidents can either be created from this page, or the Events Page. Follow the instructions below to create an Incident from within the Incidents page.

  1. Select the Tickets page on the left-hand side of the screen. This defaults you to the Incidents tab. 
  2. Click on the blue plus sign on the top right to display the New Incident window.
  3. Give your incident a title and an owner. (If you want TRAC to review, select TRAC as the owner.)
  4. Update the severity level to Low, Medium, or High based on your concern. (Note: high indicates a 2-hour response, medium is 12 hours, low/none is next business day.)
  5. Description should include the following fields:
    Who:  host or ip address experiencing unusual activity
    What: What happened to make you believe this is unusual.
    When: What time did this occur, has it stopped, is it ongoing.
    Optional Links: Links to any reference documentation.
  6. Select Create to save the incident. Once an incident is created, it is automatically placed in the Triage state and the owners/watchers are notified via email.  For incidents and tasks rated as medium and high, please call the OpsGenie number (251-333-6557) to reach the on-call engineer and inform them of the situation.


Creating an Incident through the Events page 

If a search query reveals events that require investigation, create a new incident directly from the Events page to ensure all concerning events are captured in the Incident.

  1. Select the clipboard icon.  A drop-down displays with recently viewed incidents, and at the very bottom, the option to create a New Incident.
  2. Once you select New Incident, the Create Incident window displays. Fill out fields as described above, and select Create.


Updating an Incident

Within the Tickets > Incidents page, click an Incident to open for updates. From this screen you can add watchers, attach documents, edit search queries, link an incident and/or policy, and add to the activity log through notes. The icons to the left jump to specific incident details. 

  1. From this screen, add attachments, links, policies, watchers, incident state, owner, or severity.
    Incident States are:
    • Triage - Incident requires further analysis to determine next steps. This is the default state when an incident is created.
    • Analysis - The incident has been escalated and is undergoing further analysis.
    • Remediation - Negative impacts from the incident have been determined and efforts are underway to resolve any residual damage as well as remedy the root cause.
    • Resolved -  There is still action required (updating or documenting), but the issue has been discovered.
    • Closed - No further action needs to be taken.
      Other update options
    • Links are connections to other incidents.
    • Files allow uploading of any files that were associated with the investigation.
    • You can assign other watchers or choose to add yourself as a watcher. A watcher is someone being cc'd on an incident so they can be kept up to date on status via email.  If you prefer to not receive emails, you can log into the UI and view updates that way.
    • You can assign a policy to the incident for tracking and reporting purposes.
  2. Select the pencil icon to edit the description or add a new note.  New notes display in the Activity Log section of the Incident with the date/time, and user who made the note.
  3. To view a summary of all actions, select the Activity Log icon on the left.


How to Create a Filtered CSV Export

You can create filtered CSV export of incidents to view a more manageable list of incidents. Follow the steps below:

  1. Go to Tickets > Incidents (default page).
  2. Filter down your incidents as desired by State, Owner, Created By, or a Title Search.
  3. Select the cloud icon to generate your CSV.
  4. Save as an Excel sheet and format as desired.


How to Close Multiple Incidents

  1. Go to Tickets > Incidents (default page).
  2. Select checkboxes of incidents you want to close
  3. Select the Trashcan icon from the top right.


Tasks

Creating a task allows you to be reminded of something that needs to be done. For example: tomorrow, Bob needs to review the report on failed logins generated today.  The Task homepage displays all open tasks by default, but you can filter the tasks displayed, add and/or update Tasks. For compliance purposes, Tasks cannot be deleted, but they can be set to a Closed or Invalid state. 


How to create a Task

  1. Select Tickets > Tasks > the blue + box on the far right.
  2. Fill out the following fields:
    Title: Subject of the task (Review failed logins report generated on 4/2/2018)
    Owner: Person responsible for completing the task (Bob)
    Description: What the task is (Review the failed logins report generated yesterday, 4/2/2018. Look for any user accounts with suspiciously high numbers, and for after-hours attempts. Make a note here with your findings once its completed.)


Task Schedules

Creating a task schedule allows you to be schedule something that needs to be done on a reoccurring basis. For example: every week, Sally needs to review the report(s) generated on new user accounts created.  The Task Schedule homepage displays all schedules by default, but you can filter the schedules displayed, add and/or update schedules. 

When creating a task schedule, a new task is created and displayed in the Task page when the scheduled timeframe is met. For example, if you create a task schedule for every two weeks, a new task is generated in the Task tab every two weeks. The information put into the task schedule is copied over to the Task tab, so the more information you put in your schedule, the more information you'll have for your task. 

Task Schedule View

Shows one-time Tasks and Tasks created from Schedules


How to create a task schedule

  1. To create a task schedule, select Task Schedule > the blue + box on the far right.
    Fill out the following fields:
    Name: Descriptive name. For example, 'Quarterly Information Security Report to Board'.
    Owner: Responsible party
    Description: What you want done
    Query: Search query that monitors related events
    Schedule: How often should tasks be generated?
    Policies:  If creating this after leaving the Policy page, the current statement is added by default. You can add additional policies if desired.
    Tags: Terms you would use to search and/or organize this schedule by.


Use Case for Task Schedules

User Account Created & Enabled

Within the description on the Task Schedule be sure to include how the Task is supposed to be completed, documented, what specific things need to be reviewed, etc. 

Example on how to fill out Task Schedule Fields

NameUser Account created & enabled
OwnerSteve
DescriptionVerify that all user accounts created were legitimate and necessary accounts. Verify they were created by authorized users. 
Queryapp_name:(“microsoft-windows-security-auditing” OR “DefenseStorm Agent”) AND (event_id:4720 OR event_id:624 OR event_id:4722 OR event_id:626) AND NOT category:(“alert”)
ScheduleEvery month, on the 1st
PoliciesInternal policy to verify user accounts created.
TagsUser Account created, User Account enabled