Cisco Cisco FirePOWER Appliance 7030
C H A P T E R
19-1
FireSIGHT System User Guide
19
Handling Incidents
Incident handling refers to the response an organization takes when a violation of its security policies is
suspected. The FireSIGHT System includes features to support you as you collect and process
information that is relevant to your investigation of an incident. You can use these features to gather
intrusion events and packet data that may be related to the incident. You can also use the incident as a
repository for notes about any activity that you take outside of the FireSIGHT System to mitigate the
effects of the attack. For example, if your security policies require that you quarantine compromised
hosts from your network, you can note that in the incident.
suspected. The FireSIGHT System includes features to support you as you collect and process
information that is relevant to your investigation of an incident. You can use these features to gather
intrusion events and packet data that may be related to the incident. You can also use the incident as a
repository for notes about any activity that you take outside of the FireSIGHT System to mitigate the
effects of the attack. For example, if your security policies require that you quarantine compromised
hosts from your network, you can note that in the incident.
The FireSIGHT System also supports an incident life cycle, allowing you to change an incident’s status
as you progress through your response to an attack. When you close an incident, you can note any
changes you have made to your security policies as a result of any lessons learned.
as you progress through your response to an attack. When you close an incident, you can note any
changes you have made to your security policies as a result of any lessons learned.
See the following sections for more information about handling incidents in the FireSIGHT System:
•
•
•
•
•
Incident Handling Basics
License:
Protection
Each organization is likely to have its own process for discovering, defining, and responding to
violations of its security policies. The sections that follow describe some of the basics of incident
handling and how you can incorporate the FireSIGHT System in your incident response plan:
violations of its security policies. The sections that follow describe some of the basics of incident
handling and how you can incorporate the FireSIGHT System in your incident response plan:
•
•
•
Definition of an Incident
License:
Protection