Investigation starting point – incident investigation page
At the beginning of this chapter, we discussed incident management and the incident queue, which contains a list of security incidents that have been detected. Those incidents contain specific information, such as ownership, status, severity, events leading to incident detection, and so on. We also mentioned that it is essential that the incident queue has a clean UI that is easy to read and navigate and doesn’t contain much data. The SOC analysts must only be able to see the most important details of the incident on the incident queue.
But what about when a SOC analyst needs to see more data? How can SOC analysts investigate the incident?
For this reason, we must have an incident investigation page with more detailed information about the incident. In this view, we should be able to drill into the incident and investigate it.
OK, but isn’t it easier to have it all on one page? The main UI goal...