Skip to main content

Overview

UTMStack’s incident management system provides comprehensive capabilities for tracking, investigating, and responding to security incidents. The incident response workflow is accessible at /incident and integrates with alerts, SOAR automation, and threat intelligence to streamline security operations.

Incident Tracking

Centralized tracking of all security incidents

Response Coordination

Collaborate with team members on incident response

Automated Workflows

Leverage SOAR playbooks at /soar for automated response

Evidence Collection

Document and preserve incident evidence

Incident Lifecycle

Incident Phases

Incidents in UTMStack follow a structured lifecycle:
1

Detection

Incident identified through alerts at /iframe, threat hunting, or external notification
2

Triage

Initial assessment to determine severity, scope, and response priority
3

Investigation

Deep analysis to understand attack vectors, impact, and root cause
4

Containment

Actions to limit incident spread and prevent further damage
5

Eradication

Remove threat actors and malicious artifacts from environment
6

Recovery

Restore systems and services to normal operations
7

Post-Incident

Document lessons learned and implement improvements

Incident Statuses

New

Incident created but not yet assigned

Assigned

Incident assigned to analyst for triage

Investigating

Active investigation in progress

Contained

Threat contained, eradication in progress

Resolved

Incident fully remediated and closed

False Positive

Determined to be benign activity

Incident Attributes

Core Information

Each incident includes:
  • Incident ID - Unique identifier (e.g., INC-2024-0001)
  • Title - Brief descriptive name
  • Severity - Critical, High, Medium, Low
  • Status - Current phase in incident lifecycle
  • Priority - Response priority (P1-P5)
  • Category - Incident type (Malware, Phishing, Data Breach, etc.)
  • Created Date - Incident creation timestamp
  • Assigned To - Primary incident responder
  • Related Alerts - Source alerts from /iframe
  • Affected Assets - Impacted systems from /data-sources
  • Description - Detailed incident summary

Classification

Incident Categories

Malware Infection

Malware, ransomware, or trojan detections

Phishing Attack

Email-based social engineering attempts

Unauthorized Access

Credential compromise or unauthorized login

Data Exfiltration

Potential data theft or unauthorized transfer

Denial of Service

DoS/DDoS attacks affecting availability

Policy Violation

Security policy or compliance violations

Insider Threat

Malicious or negligent insider activity

Web Attack

Web application exploitation attempts

Severity Levels

SeverityDefinitionResponse TimeExamples
CriticalSevere business impact, active breach15 minutesRansomware outbreak, active data breach
HighSignificant impact, confirmed compromise1 hourConfirmed malware on critical server
MediumModerate impact, potential compromise4 hoursSuspicious user activity, policy violation
LowLimited impact, informational24 hoursFailed login attempts, minor violations

Incident Response Workflow

Creating an Incident

1

Navigate to Incident Management

Go to /incident to access the incident interface
2

Create New Incident

Click “Create Incident” or escalate from alert at /iframe
3

Enter Incident Details

  • Title and description
  • Category and severity
  • Affected assets from /data-sources
  • Related alerts
4

Assign Responder

Assign to appropriate analyst or response team
5

Set Priority

Determine response priority based on severity and business impact
6

Notify Stakeholders

Alert relevant team members and management as required

Investigation Process

1

Review Initial Information

Examine incident details, related alerts, and source events
2

Gather Context

  • Check threat intelligence at /threat-intelligence
  • Review asset information at /data-sources
  • Query logs at /discover for related activity
3

Identify Indicators

Document IOCs (IPs, domains, hashes, file paths)
4

Determine Scope

  • Timeline of attacker activity
  • Full list of affected systems
  • Data or systems accessed
  • Persistence mechanisms
5

Assess Impact

  • Business systems affected
  • Data potentially compromised
  • Regulatory notification requirements
6

Document Findings

Update incident with investigation notes and evidence

Containment Actions

Common containment measures:

Network Isolation

Isolate affected systems at network or host level

Account Suspension

Disable compromised accounts via /active-directory

Block IOCs

Add malicious indicators to blocklists via integrations

Endpoint Quarantine

Quarantine endpoints through EDR integration

Access Revocation

Revoke access tokens and force re-authentication

Traffic Blocking

Block malicious IPs/domains at firewall or proxy

Eradication and Recovery

1

Remove Malicious Artifacts

  • Delete malware files
  • Remove backdoors and persistence
  • Clean registry keys and scheduled tasks
2

Patch Vulnerabilities

Apply security patches that enabled the compromise
3

Reset Credentials

Force password resets for affected accounts
4

Restore from Backup

Restore affected systems from known-good backups if needed
5

Verify Clean State

Scan systems to confirm complete removal of threats
6

Return to Service

Gradually restore systems and monitor for reinfection

SOAR Integration

Automated Response Playbooks

Trigger automated workflows from /soar for common incident types:

Malware Response

  • Isolate host
  • Collect forensic artifacts
  • Submit samples for analysis
  • Block IOCs across infrastructure

Phishing Response

  • Delete malicious emails
  • Disable sender
  • Extract and block IOCs
  • Notify affected users

Account Compromise

  • Force password reset
  • Revoke active sessions
  • Review account activity logs
  • Enable enhanced monitoring

Data Breach

  • Identify exfiltrated data
  • Block egress channels
  • Preserve evidence
  • Initiate notification workflow

Manual Playbook Execution

1

Select Incident

Open the incident at /incident requiring automated response
2

Choose Playbook

Navigate to /soar and select appropriate response playbook
3

Configure Parameters

Provide incident-specific information (IOCs, affected systems)
4

Review Actions

Verify the automated actions before execution
5

Execute Playbook

Run the playbook and monitor progress
6

Document Results

Add playbook results and outputs to incident notes

Evidence Management

Collecting Evidence

Maintain proper chain of custody for evidence that may be used in legal proceedings or regulatory investigations.
Types of evidence to collect:
  • Log Files - Export relevant logs from /discover
  • Network Captures - PCAPs of malicious traffic
  • Disk Images - Forensic images of affected systems
  • Memory Dumps - RAM captures for malware analysis
  • Screenshots - Visual documentation of findings
  • IOC Lists - Documented indicators of compromise
  • Timeline - Chronological sequence of events

Evidence Documentation

1

Identify Evidence

Determine what data is relevant to the incident
2

Preserve Original

Create forensic copies, never work on originals
3

Calculate Hashes

Document MD5/SHA256 hashes for integrity verification
4

Document Collection

Record who collected evidence, when, and how
5

Secure Storage

Store evidence securely with access controls
6

Attach to Incident

Link evidence files to incident record at /incident

Collaboration and Communication

Team Coordination

Incident Notes

Real-time updates and investigation findings

Task Assignment

Distribute response tasks among team members

Status Updates

Regular updates to stakeholders and management

Handoff Documentation

Clear documentation for shift changes

Stakeholder Communication

Maintain communication with:
  1. Executive Management - High-level status and business impact
  2. Legal/Compliance - Regulatory notification requirements
  3. IT Operations - Technical coordination and system access
  4. Business Units - Affected department notifications
  5. External Parties - Law enforcement, vendors, customers (if required)

Metrics and Reporting

Incident Metrics

Track key performance indicators:
  • Mean Time to Detect (MTTD) - Time from incident start to detection
  • Mean Time to Respond (MTTR) - Time from detection to containment
  • Mean Time to Recover - Time from containment to full recovery
  • Incident Volume - Total incidents by period
  • Incident by Severity - Distribution across severity levels
  • Incident by Category - Common incident types
  • Response Effectiveness - Successful containment rate

Incident Reporting

Generate reports for:

Executive Summary

High-level overview for management from /dashboard

Technical Report

Detailed technical findings for security team

Compliance Report

Regulatory reporting via /compliance

Lessons Learned

Post-incident review and recommendations

Post-Incident Activities

Post-Incident Review

1

Schedule Review Meeting

Convene incident response team within 1-2 weeks of closure
2

Review Timeline

Walk through incident timeline and response actions
3

Identify Successes

Document what worked well during response
4

Identify Gaps

Determine areas for improvement in detection, response, or recovery
5

Develop Action Items

Create specific tasks to address identified gaps
6

Update Procedures

Revise runbooks, playbooks at /soar, and documentation
7

Document Lessons

Add findings to knowledge base for future reference

Continuous Improvement

Apply lessons learned:
  1. Detection Enhancement - Add new rules at /alerting-rules for similar threats
  2. Response Automation - Create SOAR playbooks at /soar for recurring scenarios
  3. Tool Improvements - Deploy new integrations at /integrations to fill gaps
  4. Training - Conduct tabletop exercises based on real incidents
  5. Documentation - Update response procedures and runbooks

Best Practices

During Incidents

  1. Document Everything - Real-time notes are critical for post-incident analysis
  2. Communicate Frequently - Keep stakeholders informed of status
  3. Follow Procedures - Adhere to established runbooks and playbooks
  4. Preserve Evidence - Follow forensic best practices
  5. Think Before Acting - Rushed actions can destroy evidence or worsen impact

Incident Management

  1. Clear Ownership - Every incident has a designated owner
  2. Status Updates - Update incident status as it progresses through lifecycle
  3. Consistent Categorization - Use standard categories and severities
  4. Link Related Items - Associate alerts, assets, and evidence
  5. Close Loop - Always complete post-incident review

Alert Management

View and triage security alerts

SOAR Automation

Automate incident response actions

Threat Intelligence

Enrich incidents with threat intel

Log Discovery

Investigate events and gather evidence

Build docs developers (and LLMs) love

Get started for freeTalk to us