This scenario represents a sample workflow of an incident investigation.
Incident investigation proceeds in stages:
You can assign an alert to yourself or to another user.
View the information about the alert and make sure that the alert event data matches the triggered correlation rule.
Analyze the information about the alert to determine what data is required for further analysis of the alert.
Launch the available solutions for additional enrichment of an event (for example, Kaspersky TIP).
Make sure that the activity that triggered the correlation rule is abnormal for the organization IT infrastructure.
If steps from 3 to 5 reveal that the alert requires investigation, you can create an incident or link the alert to an existing incident.
You can also merge incidents.
This step includes viewing information about the assets, user accounts, and alerts related to the incident. You can use the investigation graph and threat hunting tools to get additional information.
You can view the alerts that occurred on the assets related to the incident.
You can expand your investigation scope by searching for events of related alerts.
You can record the information necessary for the investigation in the incident change log.
You can perform response actions manually.
After taking measures to clean up the traces of the attacker's presence from the organization's IT infrastructure, you can close the incident.