Last Updated on November 16, 2023 by InfraExam
A possible breach has been reported and Rajiv, the Tier 1 triage specialist, has performed initial processing, including confirming its validity. Which tool will Rajiv and the other SOC analysts use to monitor and manage this incident and all other open incidents?
- firewall logs
- SIEM alerts
- IPS logs
|Explanation & Hint:
In a Security Operations Center (SOC), the tool commonly used to monitor and manage incidents, including organizing and prioritizing them, is typically an IT Service Management (ITSM) platform. An ITSM tool helps SOC teams track the status of incidents, assign tasks, manage workflows, and document all actions taken for future reference and reporting.
Here’s a brief overview of how the listed tools are generally used:
Firewall Logs: These are used to review the activities passing through the firewall and may help identify unauthorized access or other suspicious activities.
SIEM Alerts: Security Information and Event Management (SIEM) systems centralize the storage and interpretation of logs and allow for real-time analysis of security alerts generated by network hardware and applications. They are key to identifying incidents but are not typically used for managing the incident response process.
IPS Logs: Logs from an Intrusion Prevention System (IPS) are used to identify potential threats that the IPS has identified and taken action on, such as blocking or alerting.
ITSM: IT Service Management platforms are the tools where incident tickets are created, managed, and tracked until closure. Examples include ServiceNow, JIRA Service Desk, and BMC Remedy.
Based on this, Rajiv and the other SOC analysts would most likely use an ITSM system to manage this incident and others.