Hi folks,

For the next release of Sentinel, we're embarking on a substantial
re-work of our threat response workflow with the goal of presenting
operators and analysts with exactly the information they need at exactly
the right time. We've spoken informally with many customers who have
some form of playbook or runbook that they follow for
threat/alert/incident response, and we're using what we know about these
procedures as inspiration for our new designs. But that's where *you*
come in: we'd like to collect many more examples of the types of
activities that you engage in during the response to a detected threat,
the types of information you collect, and what you do with that data.

The detail level we're looking for would be something along the lines
of: "Operator: If you see this type of alert appear in the console,
perform the following actions: take ownership of the alert, then collect
information on (a), (b), and (c). If these indicate a problem, then
escalate the alert to an incident and refer the incident to team X. Team
X: If you see an incident like this, collect information on (d), and
(e), then forward to the desktop team..."

We are of course aware that in many cases this type of runbook may not
be formally written down, but if you are familiar with this type of
activity then any experience you have could be useful. The goal is

- Guide the response team to help them react to threats quickly and
- Automate, where possible, the collection of additional evidence that
might be useful for analysis
- Build a highly usable, flexible, enjoyable user experience

If any of you out there would be willing to contribute your thoughts and
ideas, we would love to work with you. Please reach out to me directly
at 'DCorlette@netiq.com' (mailtoCorlette@netiq.com), and we'll start
the conversation.

As always, any other general comments about Sentinel and how much you
love it (but if it would just do this one additional thing!) are most


DCorlette's Profile: https://forums.netiq.com/member.php?userid=323
View this thread: https://forums.netiq.com/showthread.php?t=52660