Security ActOns consist of the following tabs and each tab gives you unique way of handling incoming threats.
- Situation Analysis: Situation-based risk analysis facilitates understanding and response to system vulnerabilities at technical, business, and strategic levels. Impact analysis evaluates if a Situation is relevant, probable, and linked to business, organizational, and strategic objectives.
Situation Analysis consists of the following components:
- Likelihood: Determines the threat events and exposure of concern result in adverse impacts based on the behavior of the MITRE tactics. The greater the detection of tactics, the higher the score will be. The detection of MITRE tactics is shown in the inverted bar chart and is denoted by the blue color on the right of your likelihood score. The likelihood score is more severe when detections increase on the right side of the inverted bar chart.
- Impact: Determines the damage that occurs to the asset due to the threat of concern. The higher the impact score, the more critical the asset will be.
- Confidence: Determines the accuracy of signals that come from the source systems based on the rules set up in the Chronicle Content Management System. The higher the score, the more the confidence score will be.
How the above components are part of quantifying the risk and how these are associated with an ActOn. Refer to this article for more information.
- Impacted Functions: This tab shows the list of functions that are associated with the ActOn. In this tab, you can filter the listed functions by attributes such as service-level impact, domains, organizations, and the associated tenants.
- Entities & Evidences: Entities are the assets or domain names that encounter a single or multiple MITRE attack detection tactics and techniques.
Our Security ActOns enable you to add a reference list to the different entities where you can leverage the rules that are defined in the Chronicle CMS.
To add an entity to the reference list,
- In the Entities & Evidence tab, click Add to List (+)under the reference list column.
A new window opens.
- Check the required list to add the asset.
- Click Update.
Evidence is the proof (a malicious domain or a file) that triggers the signals from the integrated systems and sources. Evidence provides you with information on the malicious signals that are triggered due to threat attacks from the external environment.
- Detections: These are generated due to the rules defined in the Chronicle CMS that allow similar multiple signals to be correlated and merged as a single situation.
Different types of detections that belong to the various MITRE tactics and techniques are shown in the detection tab. Initial detections linked to an ActOn are marked as primary next to the detection, and these primary detections cannot be delinked from the detection tab. To view the linked signals of an ActOn in a visual representation, click View in Signal Analytics.
- Detection Timeline: The timeline enables you to know when the first detection occurred, followed by the other detections. Also, the timeline shows the Situation activities, like severity level and status.
- Event Timeline: This timeline shows the multiple events that are generated from the source at different times and the severity of the events (Low, Medium, High, and Critical Risk).
- Graph: shows the relationship among the assets, classifications, sub-classifications, signals and MITRE tactics & techniques. For more information on Graph UI, visit here.
- Escalations: Escalations provide details such as the primary on-call responder, the type of functions involved, and the status of the escalation policies that are linked to an ActOn. For more information on escalations, refer to this article.
- Notes: Notes are the comments given by the users who are involved in remediating the ActOn. Notes are classified as:
- Work Notes: These comments are visible to an external audience. By default, these are synced to external ITSM and SOAR platforms.
- Internal Notes: These comments are visible to company-specific users only and are not synced to external ITSM and SOAR platforms.
- Resolution Notes: These comments are updated when an ActOn is resolved. External ITSM or SOAR platforms have to be updated in their resolution notes, and their status has to be changed to resolved.
You can create your notes by using the types described above.
To create Notes,
- Under the Notes tab, click in the Notes field.
- Select the type of note you want to post from the list below.
- Work Notes
- Internal Notes
- Resolution Notes
- Select a pre-defined template or customize your comments.
- Click Post.
- ActOn Analyzer: Assesses your questions specific to an ActOn and provides you with relevant answers like summary, notes, user details, correlated signals, impacted asset details, etc. to mitigate an ActOn.
- Analysis Log: The analysis log collects the activities that occur as a result of resolving Situations when a malicious threat is detected in the integration systems. For example, check IP details, determine protocol names, and determine service names.
The analysis log allows you to create a new log or edit the existing logs in the table.
To create a log(s),
- On the Analysis logs page, click icon.
The Create Task window appears.
- Enter a Name for the task
- (Optional) Add Description
- (Optional) Under the Assign to field, assign a user to a task from the drop-down menu.
- (Optional) In the Category field, select a category to which the task belongs.
- (Optional) In the Start date and Due date fields, select the date and time when a task is closed.
- In the Task dependency, select any of the following:
- No: This task is not dependent on other tasks in the Analysis log.
- Yes: This task is dependent on the other tasks that are available in the Analysis log. You can link any task to the other tasks here.