Incident Management: Process

Document created by RSA Information Design and Development Employee on Oct 24, 2017Last modified by RSA Information Design and Development Employee on Jan 29, 2018
Version 2Show Document
  • View in full screen mode

Incident Management Workflow

Security Analytics Incidents module collects alerts from multiple sources and provides the ability to group them logically and start an Incident response workflow to investigate and remediate the security issues raised. Security Analytics Incidents module allows you to configure rules to automate the aggregation of Alerts into Incidents.  Alerts will be normalized by the system to a common format to provide users with a consistent view for the rule criteria regardless of the data source. You can build query criteria based on the alert data with the ability to query on fields that are common as well as specific to data sources.

The rule engine allows you to group similar alerts together into an Incident so that the investigation and remediation workflow can be shared across a set of similar alerts. You can create rules that can group alerts into incidents depending on a common value they share for one or two attributes (for example, source hostname) or if they are reported within a limited time window (for example, alerts that are within 4 hours of each other).

If an alert matches a rule, an incident is created using the criteria. As new alerts are ingested, if an existing Incident was already created that matched those criteria, and that incident isn't "in progress" yet, the new alerts will continue to be added to the same incident.  If there is no existing incident for the grouped value (for example, the specific hostname) or the time window, a new incident will be created and the alert will be added to it. 

You can have multiple aggregation rules. The rules can either group alerts into Incidents or suppress alerts from being matched by any rule, hence the rules are ranked top-to-bottom and only the first rule to match an incoming alert is be used to include that alert in an incident. The Incidents provide a context for the alerts, provide tools to record the investigation status, and track the remediation progress.

Various stages in the Incident Management process are:

  • Review Alerts
  • Manage Incidents
  • Automate Incident Management process
  • Track the incident response through
    • Security Analytics UI
    • a third party helpdesk system
    • RSA Archer Breach management 

Incident Management Workflow Diagram

The following figure shows the incident management workflow process.


Previous Topic:Incident Management
Next Topic:The Basics
You are here
Table of Contents > Incident Management Process