Alerts evaluation system
One of the remarkable capabilities of Inopli is its ability to interrogate and respond to alerts autonomously, which aids in averting duplicate incidents and accelerating the resolution process. This is how Inopli effectively and intelligently manages the workload in Incident Management.
Here are 6 crucial questions that Inopli poses and its corresponding actions during the initial alert evaluation.
Is a single attack generating a substantial number of alerts?
The goal of this question is to identify multiple alerts stemming from the same threat via the same attack pathway. A 'Yes' implies a need to filter alerts, allowing only a few to become incidents. This significantly reduces the burden of duplicate incidents or excessive alerts, letting the analyst focus on more unique and complex incidents.
Is the alert associated with a broader-scale attack?
This question seeks to identify multiple alerts from a single attack. For instance, a web attack using a botnet could attack from various hosts to increase speed. Inopli groups such similar alerts into one incident, reducing operational load and improving Incident Management.
Does the alert pertain to an incident awaiting resolution, currently being addressed, or a previously resolved incident?
This question seeks to determine if a new alert is related to active or resolved incidents. Monitoring solutions often generate multiple alerts for persistent threats, creating a data surge for Incident Management systems. Alerts may keep appearing until containment actions are fully executed, especially when response measures take time to spread across clusters or when incidents need to be delegated to an ITSM solution. Inopli addresses this by correlating alerts to remove duplicates and consolidate related alerts into one incident, thereby speeding up response and reducing operational load.
Can the alert be evaluated based on the intelligence base?
Inopli features a strong intelligence management system that accurately identifies and categorizes alerts. This function enhances the solution's analytics by incorporating the security team's specific expertise. The process involves two separate lists for different alert scenarios. The first list, known as confirmed threats, is used to identify true positives, ensuring such alerts are promptly addressed. The second list, called exceptions, is designed to detect and eliminate false positives. This list helps to automatically filter out and discard such alerts, so only those that don't match any known false positives are advanced to the next response stage.
Is the alert associated with a documented correlation rule?
In the initial alert assessment, Inopli applies predefined correlation rules at Documents Management. Upon receiving an alert, the solution scans the rule repository. If there's a direct rule for the incoming alert, it proceeds to the next response stages. However, if there's no rule, Inopli marks the alert as 'non-associated' and stops further progress. This feature ensures efficient Incident Management by dedicating resources only to alerts that align with established correlation rules.
Is the correlation rule's documentation tailored to the impacted customer?
Inopli prioritizes customers when evaluating alerts and transforming them into incidents. Before turning an alert into an incident, the solution checks the correlation rule linked to the alert and seeks customer-specific documentation. If a dedicated customer profile is available, it's used to fill in necessary incident details. Without a profile, Inopli uses the default version in the correlation rule to create the incident. This process ensures personalized and effective Incident Management for each customer.