# Incident identification

## What defines an incident?

* Event that requires a response
* Should already be defined in policy
* Usually adverse with negative impact
  * The real question is, how do we identify when they happen?

## Sources of incident notification

#### End users

Most common source, but not always reliable. I.e., some events are just events and not incidents

#### Log sources

SIEM solutions, IDS, firewalls, HIPS. Volume can be overwhelming

* Machine learning, deep learning and AI will help

Notification from outside entities, such as law enforcement

## Things to look out for

Make sure the identification process is sufficient

* Too loose and everything is an incident
* Too tight and you miss critical events

## Allow room for identifying new incidents

Just because it's not defined doesn't mean it's not an incident

Some of the more devastating incidents are "new" ones

## Maintain scope and focus

Identifying the incident and move on to classification

* Don't try to do containment at this stage!

## How incidents are detected

* Law enforcement
* Internal detection/DLP
* Third-party consultants/vendors
* Exfiltrated data disclosed (internet or dark web)
  * Worst-case scenario?