If the SOC analysts determine there's a threat in an organization’s environment, an incident is created or an investigation is promoted to an Incident.
Incidents are similar to investigations in that they include investigative actions and have a similar look and feel. Incidents, however, include findings. These are the details to the common questions:
-
What is it?
-
Where is it?
-
When did it get here?
-
How did it get here?
Incidents can also include remediation and resilience actions.