Security Events

What are Security Events?

Security Events are alerts generated when the system detects potential security threats. These events are created automatically when software policies are violated, network IOCs are detected, or suspicious processes are identified.

Why Security Events Matter

Centralized Alerting: All security detections in one place
Prioritization: Events sorted by severity and impact
Context: Full information about what was detected and where
Workflow: Track investigation and resolution progress
Audit Trail: Complete history of security incidents

Accessing Security Events

Navigate to Events in the main menu
Filter by Category: Security
Or click on a detection from Software Policies

Understanding Security Events

Event Types

Event Type	Source	Description
Software Blacklist	Software Policy	Prohibited software detected
Process Blacklist	Software Policy	Suspicious process running
Network IOC	IOC Scan	Connection to malicious IP
LOLBAS Detection	Process Monitor	System tool abuse detected

Severity Levels

Severity	Color	Response Time	Examples
Critical	Red	Immediate	Ransomware, Active C2
Major	Orange	Within 1 hour	RAT detected, Backdoor
Warning	Yellow	Within 24 hours	PUP, Policy violation
Info	Blue	Scheduled review	Monitoring alerts

Event Status

Status	Meaning
Open	New detection, needs investigation
Acknowledged	Under investigation
Resolved	Investigation complete, issue addressed
Closed	No action needed or false positive

Event Details

Basic Information

Each security event displays:

Title: What was detected
Severity: How critical is this threat
Status: Current investigation status
Timestamp: When detection occurred
Category: Security event type

Detection Context

For each detection:

Affected Host: Server or workstation name
CI Link: Direct link to CMDB entry
Policy: Which software policy was triggered
Malware Family: Associated threat (if known)

Network IOC Details

For network-based detections:

Remote IP: The malicious destination
Remote Port: Communication port
Process Name: What initiated the connection
Connection Count: Number of observations

Recommended Actions

The system suggests next steps:

Investigation steps to perform
Remediation actions to take
Escalation recommendations
Documentation requirements

Working with Events

Acknowledging Events

When you begin investigating:

Click the event to open details
Click Acknowledge
Add notes about your investigation
Event moves to "Acknowledged" status

Adding Notes

Document your investigation:

Open the event
Scroll to Notes section
Click Add Note
Enter investigation findings
Notes are timestamped and attributed

Resolving Events

When investigation is complete:

Open the event
Click Resolve
Select resolution reason:
- Confirmed threat (remediated)
- False positive
- No action required
- Escalated to incident
Add final notes
Event moves to "Resolved" status

Event Filtering

By Severity

Focus on what matters most:

Critical only: Active threats requiring immediate response
Critical + Major: All significant security events
All: Complete visibility including informational

By Status

Track investigation progress:

Open: New events needing attention
Acknowledged: Currently being investigated
Resolved: Completed investigations

By Time Range

Review specific periods:

Last 24 hours
Last 7 days
Last 30 days
Custom date range

By Host

Focus on specific assets:

Search by hostname
Filter by CI type (Server/Workstation)
View events for specific business units

Security Event Workflow

Standard Response Process

┌─────────────────────────────────────┐
│  1. Detection Created (Open)         │
│     - System detects threat          │
│     - Event created automatically    │
│     - Notifications sent             │
└─────────────────┬───────────────────┘
                  │
                  ▼
┌─────────────────────────────────────┐
│  2. Triage (Acknowledged)            │
│     - Analyst reviews event          │
│     - Severity confirmed/adjusted    │
│     - Initial assessment documented  │
└─────────────────┬───────────────────┘
                  │
                  ▼
┌─────────────────────────────────────┐
│  3. Investigation                    │
│     - Gather additional evidence     │
│     - Assess impact and scope        │
│     - Identify root cause            │
└─────────────────┬───────────────────┘
                  │
                  ▼
┌─────────────────────────────────────┐
│  4. Response                         │
│     - Contain if needed              │
│     - Remediate threat               │
│     - Verify cleanup                 │
└─────────────────┬───────────────────┘
                  │
                  ▼
┌─────────────────────────────────────┐
│  5. Resolution (Resolved)            │
│     - Document findings              │
│     - Close event with notes         │
│     - Update policies if needed      │
└─────────────────────────────────────┘

Critical Event Response

For critical severity events:

Immediate notification sent to security team
Acknowledge within 15 minutes
Initial assessment within 30 minutes
Containment decision within 1 hour
Full investigation within 4 hours
Resolution or escalation within 8 hours

Reporting

Event Summary

Generate reports showing:

Total events by severity
Events by detection type
Mean time to acknowledge
Mean time to resolve
Events by host/business unit

Compliance Documentation

Export event data for audits:

Complete event history
Investigation notes
Resolution details
Timeline of actions

Best Practices

Effective Triage

Review critical events first
Check for related events (same host, same malware)
Verify detection accuracy before escalating
Document even negative findings

Investigation Quality

Gather host context from CMDB
Review network relationships
Check for lateral movement
Document evidence thoroughly

Resolution Standards

Always add resolution notes
Specify the root cause
Document remediation steps
Note any policy changes needed

Frequently Asked Questions

Q: What if I get too many events? A: Review policies for false positive patterns. Add exclusions for verified non-threats. Adjust severity levels appropriately.

Q: Can events be automatically resolved? A: No, security events require human review. This ensures proper investigation and documentation.

Q: How long are events retained? A: Event history is retained according to your organization's data retention policy, typically 1-7 years for security events.

Q: Can I reopen a resolved event? A: Yes, if new information surfaces. Add notes explaining why it was reopened.

Software Policies - Configure what gets detected
Threat Intelligence - Understand threat sources
Network IOC Scanning - Network detection details

What are Security Events?​

Why Security Events Matter​

Accessing Security Events​

Understanding Security Events​

Event Types​

Severity Levels​

Event Status​

Event Details​

Basic Information​

Detection Context​

Network IOC Details​

Recommended Actions​

Working with Events​

Acknowledging Events​

Adding Notes​

Resolving Events​

Event Filtering​

By Severity​

By Status​

By Time Range​

By Host​

Security Event Workflow​

Standard Response Process​

Critical Event Response​

Reporting​

Event Summary​

Compliance Documentation​

Best Practices​

Effective Triage​

Investigation Quality​

Resolution Standards​

Frequently Asked Questions​

Related Topics​