Function: Qualification (660ce9c7-4897-557e-b47a-3cea1c93a473)
Potential information security incidents need to be triaged and each qualified as an information security incident (true positive) or as a false alarm (false positive). Because analysts have a limited number of potential information security incidents they can analyze, and in order to avoid alert fatigue, automation is key. Mature tooling facilitates effective triage by enriching with context information, assigning risk scores based on the criticality of affected assets and identities and/or automatically identifying related information security events. Recurring cases that can be automated should be identified and automated. Potential information security incidents with higher criticality should be analyzed before less critical ones. In addition to qualification as true or false positives, a more fine-grained qualification is an important input for continuous improvement of detection use cases as well as the management of log sources, sensors, and contextual data sources. More fine-grained qualification can also support the definition of higher-quality KPIs for measuring the success of this service area.
| Cluster A | Galaxy A | Cluster B | Galaxy B | Level |
|---|---|---|---|---|
| Service: Event analysis (3818f4f7-4d89-5ca1-b129-4c31640b130c) | FIRST CSIRT Services Framework | Function: Qualification (660ce9c7-4897-557e-b47a-3cea1c93a473) | FIRST CSIRT Services Framework | 1 |