Example of incident investigation with KUMA
Detecting an attack in the organization IT infrastructure using KUMA includes the following steps:
- Preliminary steps
- Assigning an alert to a user
- Check if the triggered correlation rule matches the data of the alert events
- Analyzing alert information
- False positive check
- Determining alert severity
- Incident creation
- Investigation
- Searching for related assets
- Searching for related events
- Recording the causes of the incident
- Response
- Restoring assets operability
- Closing the incident
The description of the steps provides an example of response actions that an analyst might take when an incident is detected in the organization's IT infrastructure. You can view the description and example for each step by clicking the link in its title. The examples are directly relevant to the step being described.
For conditions of the incident for which examples are provided, see the Incident conditions section.
For more information about response methods and tools, see the Incident Response Guide. On the Securelist website by Kaspersky, you can also find additional recommendations for incident detection and response.