The incident investigation process
Having an incident management solution with space for investigation in it is a big plus for SOCs, and expanding it with other SOAR elements such as automation and reporting will certainly make SOC easier. But those tools must be used properly. In the investigation space, it is important to have a methodology on how to perform incident prioritization and investigation.
So, how do we start?
Execute incident prioritization
First, we need to be able to choose the incident we want to investigate. In the same time frame, SOC analysts will typically have a dozen incidents assigned, and it is vital to know how to choose your battles. This can be done in multiple ways, all of which are included in the incident queue:
- Start with severity. A higher severity will usually indicate a potentially more serious issue. If you have five incidents with low severity and one with high severity, the high-severity one should be the starting point.