Function: Qualification (660ce9c7-4897-557e-b47a-3cea1c93a473)

Potential information security incidents need to be triaged and each qualified as an information security incident (true positive) or as a false alarm (false positive). Because analysts have a limited number of potential information security incidents they can analyze, and in order to avoid alert fatigue, automation is key. Mature tooling facilitates effective triage by enriching with context information, assigning risk scores based on the criticality of affected assets and identities and/or automatically identifying related information security events. Recurring cases that can be automated should be identified and automated. Potential information security incidents with higher criticality should be analyzed before less critical ones. In addition to qualification as true or false positives, a more fine-grained qualification is an important input for continuous improvement of detection use cases as well as the management of log sources, sensors, and contextual data sources. More fine-grained qualification can also support the definition of higher-quality KPIs for measuring the success of this service area.

Rows: 1
Loading extensions...
Use the filters above each column to filter and limit table data. Advanced searches can be performed by using the following operators:
<, <=, >, >=, =, *, !, {, }, ||,&&, **[empty]**, **[nonempty]**, **rgx:**
Learn more
TableFilter v0.7.2
https://www.tablefilter.com/
©2015-2025 Max Guglielmi
Close
?
Cluster A	Galaxy A	Cluster B	Galaxy B	Level
	Clear FIRST CSIRT Services Framework		Clear FIRST CSIRT Services Framework	Clear 1
Function: Qualification (660ce9c7-4897-557e-b47a-3cea1c93a473)	FIRST CSIRT Services Framework	Service: Event analysis (3818f4f7-4d89-5ca1-b129-4c31640b130c)	FIRST CSIRT Services Framework	1

Function: Qualification (660ce9c7-4897-557e-b47a-3cea1c93a473)

TableFilter v0.7.2