Incident and Risk Management
Topics
Security operations, incident tracking, risk assessment, and automated response workflows.
Incident Management
Navigation: ELS Console → SIEM → Incidents
Manual Incident Creation
Navigation: ELS Console → Discover → Incident (top right)
Process
Review new incidents.
Assign to a team member.
Add evidence from logs.
Update status (New/False/Ongoing/Solved).
Link to playbooks.
Generate report.
Incident Fields:
Status: New/False/Ongoing/Solved
Assignee: Team member
Evidence: Linked logs/events
Notes: Investigation details
Risk Management
Navigation: ELS Console → SIEM → Risks
How Risk Scoring Works
Risk score is calculated based on base score, entity risk, and environmental factors.
Risk Components
Base Score: From alert rule (0-100).
Entity Risk: User/host/IP reputation (0-100).
Environmental Factors: Modifiers like time or location.
Creating Risk Categories
Define category name (e.g., “High Risk Users”).
Assign values to fields (e.g., risk_score > 75).
Risk Monitoring:
View risk distribution.
Track risk trends.
Assign mitigation tasks.
Playbooks and Automation
Navigation: ELS Console → SIEM → Playbook
Process
Select trigger (alert type).
Add steps (e.g., isolate host, notify team).
Configure automation (API calls, scripts).
Test playbook.
Enable for production.
Example Playbook: Ransomware Detection
Detect encryption activity.
Isolate affected host.
Backup critical data.
Notify security team.
Initiate investigation.