Example of incident investigation with KUMA

Detecting an attack in the organization IT infrastructure using KUMA includes the following steps:

1. Preliminary steps
2. Assigning an alert to a user
3. Check if the triggered correlation rule matches the data of the alert events
4. Analyzing alert information
5. False positive check
6. Determining alert severity
7. Incident creation
8. Investigation
9. Searching for related assets
10. Searching for related events
11. Recording the causes of the incident
12. Response
13. Restoring assets operability
14. Closing the incident

The description of the steps provides an example of response actions that an analyst might take when an incident is detected in the organization's IT infrastructure. You can view the description and example for each step by clicking the link in its title. The examples are directly relevant to the step being described.

For conditions of the incident for which examples are provided, see the Incident conditions section.

For more information about response methods and tools, see the Incident Response Guide. On the Securelist website by Kaspersky, you can also find additional recommendations for incident detection and response.

In this Help topic Incident conditions Step 1. Preliminary steps Step 2. Assigning an alert to a user Step 3. Check if the triggered correlation rule matches the data of the alert events Step 4. Analyzing alert information Step 5. False positive check Step 6. Determining alert severity Step 7. Incident creation Step 8. Investigation Step 9. Searching for related assets Step 10. Searching for related events Step 11. Recording the causes of the incident Step 12. Incident response Step 13. Restoring assets operability Step 14. Closing the incident

Page top