Standard Operating Procedure / SOC

Continuous Monitoring – Incident Response Process

The SIEM:

• • collects logs from on-site collector
  • classifies the event type and parses the event attributes
  • performs data enrichment (DNS resolution, GEOIP, etc)
  • processes the logs through correlation rules, which look for known patterns and threat indicators
  • generates incidents for events that match the correlation rules
  • generates tickets for related invidents

The Level 1 Security Analyst:

• • receives and reviews the ticket
  • checks the ticket against account notes and exceptions
  • checks the ticket against known signs of a false positive
  • escalates the ticket to IRT investigation, if not closed in the previous two steps

The IRT Security Analyst:

• • references the SOP for the triggering correlation rule
  • reviews the incident attributes and raw event logs for additional information
  • investigates the source/destination via WHOIS records, geolocation information, and numerous threat intelligence feeds
  • checks for other related internal incidents (incidents used for investigation which do not trigger tickets)
  • searches archived logs for related events
  • investigates the specific threat for relevant information (affected devices/versions, signs of attack, remediation steps), etc
  • compiles all relevant information and escalated the ticket to remediation

The Remediation Team:

• • verifies the reported activity is suspicious or unauthorized
  • perform remediation based on Security Operations Center recommendations