Incident Response Report

by Josef Weiss
July 3, 2014

This report displays incident response details on Systems that have been found in your environment to have active intrusion events. Intrusion events are events that are triggered by plugin 800125 - Long Term Intrusion Activity, or 800017 - Intrusion Statistics.

This report utilizes these plugins to assemble/filter vulnerability data for hosts that could potentially have intrusion events associated with them based on existing triggered events.

This report contains chapters/sections that display an: executive summary, identification of devices, vulnerabilities, exploits and intrusion events, as well as remediation actions. They are as follows:

Executive Summary

This chapter provides a high level overview by presenting the following: A bar graph displaying a count of hosts with intrusion events by class C address space, event trend of normalized, unnormalized, and intrusion events over the last 7 days, the top 10 exploitable vulnerabilities, for all devices is shown, along with a summary of intrusion events. The chapter also contains a table which display's the existing exploitable vulnerabilities, sorted by severity, for all devices is shown, with a summary of intrusion events. It is important to report all known existing exploitable vulnerabilities, as these are the weakest points. If an intrusion has occurred, these devices could be the first to be compromised.

Identification of Devices

This chapter provides a table and IP summary for Hosts identified from the Intrusion Activity and Statistics plugins. The chapter also contains a table which display's devices or hosts with detected intrusion activity events. IP address, NetBIOS and DNS name, OS CPE if known, and MAC address are displayed.

Vulnerabilities, Exploits, and Intrusion Concerns

This chapter provides details on vulnerabilities, exploits, and intrusion concerns via an IP iterator and the following tools: Detailed Vulnerability Summary (for Vulnerability Summary), Top 10 Exploitable Vulnerabilities, Failed Compliance Checks, and an Intrusion Event Summary, iterated by host.

Remediation Actions

This chapter contains the Top 10 Remediation Actions via a Remediation Summary to assist in lowering risk.

The report is available in the SecurityCenter Feed, an app store of dashboards, reports, and assets. The report can be easily located in the SecurityCenter Feed by selecting category Threat Detection & Vulnerability Assessments, and then selecting tags 'intrusion' The report requirements are:

  • SecurityCenter 4.8.1
  • LCE 4.2.2