How are people logging cybersecurity incidents internally?
Posted by Necessary-Glove6682@reddit | sysadmin | View on Reddit | 31 comments
We’ve had a couple of small issues recently (unauthorized login, email spoofing), but we don’t have a consistent way to log or track them.
Is there a simple method or tool you’re using for internal incident records that doesn’t turn into a full audit system?
CMDR_Tauri@reddit
We forward the incident tickets to the Security team's queue. They delete the tickets. It's all very clean and efficient.
SikhGamer@reddit
https://giphy.com/gifs/beautiful-its-i5wNCqyMzY2Oc
Zerafiall@reddit
And then they say “We’ve detected no signs of compromise”
CoffeePizzaSushiDick@reddit
Kudos to another year of clean audits!
fieroloki@reddit
I nice hearty chuckle for that. Thanks.
zedarzy@reddit
Send email to cybersec team in India and wait half a year for response.
Reasonable_Host_5004@reddit
SharePoint List
MechaCola@reddit
I tag the AD account
Recent_Carpenter8644@reddit
Can you elaborate?
ManyInterests@reddit
Jira.
virtualadept@reddit
Where every kind of issue goes to die a slow, lingering death.
gumbrilla@reddit
Yes, of course, its required in our policies that security incidents are reported and investigated, our policies are audited (probably this falls under SOC2) so we have to evidence it.
We have a ticket system for it, you can use a queue in your existing ticket system of course. It's sufficient as a system of record for us, with the who, what, and whens
I've worked in places that hadn't, and having an ex military police chap follow you around with his notebook was kind of fun and all, but, really stupid.
geegol@reddit
Well I know an EDR with the correct rule settings could log incidents or unauthorized activity.
CptBronzeBalls@reddit
logging what now?
arsonislegal@reddit
Tickets, and I would upload full incident RCAs with all associated logs and records into a specific SharePoint site. Subfolder for each incident.
illintent66@reddit
The Hive by Strangebee
iama_bad_person@reddit
You guys are logging cybersecurity incidents?
KimImpossible86@reddit
Does sending an email count?
Afraid_Suggestion311@reddit
Shared google doc :(
Digimon54321@reddit
Crowdstrike and Dell(Now sophos?) Taegis have great incident management portals
G4rp@reddit
Excel
zrad603@reddit
what security incident? we never had a security incident.
WackyInflatableGuy@reddit
Just our ticking system and a secure, locked down repository in our DMS for digital evidence storage. Works well for us.
volrod64@reddit
Wazuh
sdbrett@reddit
Send all logs to /dev/null
An Incidents doesn’t exist if it isn’t logged
SysAdminDennyBob@reddit
Same way we track other IT incidents. We have a dedicated person for Problem Management. Service Now is our platform but there are 2 dozed similar market solutions, you likely already have one in place. Use what you have.
The only difficult part in all of this, which is the same across all platforms, is getting people to type the incident into the system. Simple data entry is your likely problem as opposed to picking the perfect platform.
grahag@reddit
We pump them through Azure/Defender to our ticketing system. Depending on the severity it can trigger a service impact notification which prompts a conference bridge for all relevant departments to jump onto and investigate resolve, which then becomes part of the record with Copilot transcribing the events.
krattalak@reddit
We spawned off an independent queue in our ticketing system.
Helpjuice@reddit
Use your existing ticket system, everything should have a full audit on them to track what was done about it and how long it took. This protects the business from negligence claims if things were mitigated and resolved in a timely fashion.
If you do not have a system setup, set one up for tracking all issues, projects, etc.
raip@reddit
JIRA for investigations. ServiceNOW SIR Module for full blown security incidents.
Ssakaa@reddit
Honestly, have and use the full audit process you would want for a true incident as a standard matter of process. Document the same across anything from the minor non-issue email spoofing that initiates outside your environment to the all hands on deck proper incident. Make every bit of that instinct and routine. You don't want to have to think about "what do I need to do differently" for tracking crap when everything's on fire. You want to have a known, tested, working, system.a