Example of incident investigation with Kaspersky Next XDR Expert
This scenario represents a sample workflow of an incident investigation.
Incident investigation proceeds in stages:
- Assigning an alert to a user
You can assign an alert to yourself or to another user.
- Checking if the triggered correlation rule matches the data of the alert events
View the information about the alert and make sure that the alert event data matches the triggered correlation rule.
- Analyzing alert information
Analyze the information about the alert to determine what data is required for further analysis of the alert.
- Manual enrichment
Launch the available solutions for additional enrichment of an event (for example, Kaspersky TIP).
- False positive check
Make sure that the activity that triggered the correlation rule is abnormal for the organization IT infrastructure.
- Incident creation
If steps from 3 to 5 reveal that the alert requires investigation, you can create an incident or link the alert to an existing incident.
You can also merge incidents.
- Investigation
This step includes viewing information about the assets, user accounts, and alerts related to the incident. You can use the investigation graph and threat hunting tools to get additional information.
- Searching for related assets
You can view the alerts that occurred on the assets related to the incident.
- Searching for related events
You can expand your investigation scope by searching for events of related alerts.
- Recording the causes of the incident
You can record the information necessary for the investigation in the incident change log.
- Response
You can perform response actions manually.
- Closing the incident
After taking measures to clean up the traces of the attacker's presence from the organization's IT infrastructure, you can close the incident.