Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
'Investigations'
46 views
Skip to first unread message
Jeff Bryner
Jan 27, 2015, 11:46:10 AM1/27/15
to dev-m...@lists.mozilla.org
Hello,
I'm in the process of adding 'investigations' to MozDef as an entity
to facilitate the work that typical security operations groups do to
figure out if an event or alert should be escalated to 'incident'
status.
I'm interested in feedback about metrics/processes that you use that
might take advantage of 'investigations'?
Currently you have the ability to
1) Define a timeframe for the investigation (i.e. suspicious activity
started at X and ended at Y)
2) Record indicators (ipv4 addresses, mac addresses, usernames, etc)
3) Add references to other systems (URLS, Ticket numbers, etc)
4) Add free form notes
5) Add other timestamps
6) Add theories
7) Record mitigations you put in place or plan to use
8) Record lessons learned
9) Tag the investigation with VERIS
http://demo.mozdef.com:3000/ is updated to include the current version
of investigations. Check it out if you get a chance and let me know
what you think!
http://demo.mozdef.com:3000/investigations
Thanks,
Jeff.
I'm in the process of adding 'investigations' to MozDef as an entity
to facilitate the work that typical security operations groups do to
figure out if an event or alert should be escalated to 'incident'
status.
I'm interested in feedback about metrics/processes that you use that
might take advantage of 'investigations'?
Currently you have the ability to
1) Define a timeframe for the investigation (i.e. suspicious activity
started at X and ended at Y)
2) Record indicators (ipv4 addresses, mac addresses, usernames, etc)
3) Add references to other systems (URLS, Ticket numbers, etc)
4) Add free form notes
5) Add other timestamps
6) Add theories
7) Record mitigations you put in place or plan to use
8) Record lessons learned
9) Tag the investigation with VERIS
http://demo.mozdef.com:3000/ is updated to include the current version
of investigations. Check it out if you get a chance and let me know
what you think!
http://demo.mozdef.com:3000/investigations
Thanks,
Jeff.
0 new messages