If the SOC analysts determine there's a threat in an organization’s environment, an incident is created or an investigation is promoted to an Incident.

Incidents are similar to investigations in that they include investigative actions and have a similar look and feel. Incidents, however, include findings. Findings are the answers to the common questions:

  • What is it?

  • Where is it?

  • When did it get here?

  • How did it get here?

Incidents can also include remediation and resilience actions.