Cisco Cisco Firepower Management Center 2000

Incident handling refers to the response an organization takes when a violation of its security policies is 
suspected. The FireSIGHT System includes features to support you as you collect and process 
information that is relevant to your investigation of an incident. You can use these features to gather 
intrusion events and packet data that may be related to the incident. You can also use the incident as a 
repository for notes about any activity that you take outside of the FireSIGHT System to mitigate the 
effects of the attack. For example, if your security policies require that you quarantine compromised 
hosts from your network, you can note that in the incident. 

The FireSIGHT System also supports an incident life cycle, allowing you to change an incident’s status 
as you progress through your response to an attack. When you close an incident, you can note any 
changes you have made to your security policies as a result of any lessons learned.

See the following sections for more information about handling incidents in the FireSIGHT System:

Protection

Each organization is likely to have its own process for discovering, defining, and responding to 
violations of its security policies. The sections that follow describe some of the basics of incident 
handling and how you can incorporate the FireSIGHT System in your incident response plan:

Protection