Incident and Risk Management

Security operations, incident tracking, risk assessment, and automated response workflows.

Incident Management

Navigation: ELS Console → SIEM → Incidents

Manual Incident Creation

Navigation: ELS Console → Discover → Incident (top right)

Incident Handling Process

1. Review new incidents.

2. Assign to a team member.

3. Add evidence from logs.

4. Update status (New/False/Ongoing/Solved).

5. Link to playbooks.

6. Generate report.

Incident Fields:

• Status: New/False/Ongoing/Solved

• Assignee: Team member

• Evidence: Linked logs/events

• Notes: Investigation details

---

Risk Management

Navigation: ELS Console → SIEM → Risks

How Risk Scoring Works

Risk score is calculated based on base score, entity risk, and environmental factors.

Risk Components

• Base Score: From alert rule (0-100).

• Entity Risk: User/host/IP reputation (0-100).

• Environmental Factors: Modifiers like time or location.

Creating Risk Categories

1. Define category name (e.g., “High Risk Users”).

2. Assign values to fields (e.g., risk_score > 75).

Risk Monitoring:

• View risk distribution.

• Track risk trends.

• Assign mitigation tasks.

---

Playbooks and Automation

Navigation: ELS Console → SIEM → Playbook

Playbook Creation Process

1. Select trigger (alert type).

2. Add steps (e.g., isolate host, notify team).

3. Configure automation (API calls, scripts).

4. Test playbook.

5. Enable for production.

Example Playbook: Ransomware Detection

1. Detect encryption activity.

2. Isolate affected host.

3. Backup critical data.

4. Notify security team.

5. Initiate investigation.