Incident and Risk Management

Incident tracking, risk assessment, and response playbooks within the SIEM module.

Incident Management

Navigation: ELS Console → SIEM → Incidents

The Incidents tab displays all triggered alert incidents in a time-filtered, searchable table. Each incident row contains the following columns:

Column

Description

Name

Alert rule name that triggered the incident (shows a notepad icon if a note is attached)

Alert Time

Time when the alert was triggered

Username

User assigned to handle the incident

Status

Current incident status

Risk

Calculated risk score

Incident Statuses

Each incident has one of the following statuses:

  • New — incident has been created but not yet reviewed

  • Ongoing — incident is being actively investigated

  • False — incident has been identified as a false positive

  • Solved — incident has been resolved

Incident Actions

For each incident the following actions are available:

  • Show Incident — view the full incident document

  • Verify — check incident fields against the blacklist index

  • Preview — open the incident document in Discover using the alert index pattern

  • Update — change the incident status, assigned users, and roles

  • Playbooks — view playbooks associated with the incident’s alert rule

  • Note — add or edit investigation notes and comments

Manual Incident Creation

Navigation: ELS Console → Discover → Incident (top right)

Incidents are typically created automatically when alert rules are triggered. Additionally, you can create incidents manually from the Discover interface using the Manual Incident context menu option. The form includes the following fields:

  • Rule Name — defaults to “Manual Incident”

  • Time — current time (read-only)

  • Risk — risk value from 0 to 100 (default: 50)

  • User — user to assign the incident to

  • Message — description of the incident

Risk Management

Navigation: ELS Console → SIEM → Risks

Risk management allows you to categorize and score entities (users, hosts, IPs) by mapping field values to risk categories. The Risks tab has four sub-tabs: Create Risk, Risk List, Create Category, and Category List.

Risk Categories

A risk category defines a named risk level with a numeric value from 0 to 100.

Creating a category:

  1. Go to the Create Category sub-tab.

  2. Enter a Category name (e.g., “Critical Assets”, “High Risk Users”).

  3. Set a Category value (0–100), where higher values represent higher risk.

  4. Submit the category.

Note

A default uncategorized category with value 0 is created automatically on plugin initialization.

Risk Entries

A risk entry maps a specific field value from your data to a risk category.

Creating a risk entry:

  1. Go to the Create Risk sub-tab.

  2. Enter an Index pattern and click Read Fields to load available fields.

  3. Select the Key field from the dropdown (e.g., source.ip, user.name).

  4. Select a Time range (from “Last 15 minutes” up to “Last 1 year”, or “None” for all data).

  5. Click Read Values to load unique values for the selected field.

  6. Map each value to a risk category using the per-row dropdown, or select multiple values and use Set Global Category for bulk assignment.

  7. Optionally, add custom field values manually using the + button.

  8. Submit the risk entries.

Risk Scoring on Alert Rules

Each alert rule can include risk scoring configuration:

  • Risk Key — the field used to calculate risk (e.g., source.ip)

  • Multiple risks aggregation — how to combine multiple risk values: MAX, MIN, AVG, SUM, or CUSTOM

  • Risk boost [%] — a percentage multiplier applied to the calculated risk score (default: 100)

When an alert triggers, the system looks up the risk value for the entity identified by the Risk Key field and applies the aggregation method and boost percentage to calculate the final risk score. This score is visible in the Incidents tab.

Playbooks

Navigation: ELS Console → SIEM → Playbook

Playbooks provide a way to document response procedures and attach executable scripts to alert rules. The Playbook tab has two sub-tabs: Create Playbook and Playbook List.

Creating a Playbook

  1. Go to the Create Playbook sub-tab.

  2. Fill in the following fields:

    • Name — descriptive name for the playbook

    • Text — response procedure description (e.g., investigation steps, escalation instructions)

    • Script — executable script content to be run when the playbook is invoked

  3. Submit the playbook.

Managing Playbooks

The Playbook List sub-tab displays all created playbooks in a table. Available actions for each playbook:

  • Show — view playbook details

  • Update — edit the playbook name, text, or script

  • Delete — remove the playbook

Associating Playbooks with Alert Rules

Playbooks are linked to alert rules through the alert creation form:

  1. When creating or editing an alert rule (SIEM → Alert Rules → Create Alert Rule), enable the Playbooks toggle.

  2. Select one or more playbooks to associate with the rule.

  3. When the alert triggers, the associated playbooks are available for the incident responder to reference and execute.