https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55193#M37 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/690706113">@tmekelburg1</a>&nbsp;Great diagram but is this really a concept that we would expect someone with little to no experience to understand????</P> Tue, 15 Nov 2022 23:21:07 GMT dcontesti 2022-11-15T23:21:07Z https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55175#M34 <P>#spolier - this refers to a sample test question in the CC training#&nbsp; &nbsp;</P><P>&nbsp;</P><P>The incident response video question suggests that when the incident response team establish that the user is known and that the activity discovered is benign then the incident response should stop.&nbsp; &nbsp;However, i think this is inaccurate as i would expect (and the previous training slides suggest) the responders to carry out a brief retrospective of the incident.&nbsp; &nbsp;I would also like to see if the responders could suggest ways in which such 'false positives' could be removed from the alerting process, thus making the team more efficient overall.&nbsp; &nbsp;So in my mind the answer is that the response continues to a conclusion and hence does not stop...</P><P>&nbsp;</P><P>welcome any thoughts on that.</P><P>&nbsp;</P><P>NOTE: its only a guide question - not an exam - so its not vital...</P> Tue, 15 Nov 2022 08:53:21 GMT https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55175#M34 RichA69 2022-11-15T08:53:21Z https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55177#M35 <P>Possibly.&nbsp; It depends how you scope RS.IM.&nbsp; A reduction in false positives could be seen as an improvement, but equally it could be done as part of an improvement in detection.</P><P>&nbsp;</P> Tue, 15 Nov 2022 13:21:02 GMT https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55177#M35 Steve-Wilme 2022-11-15T13:21:02Z https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55181#M36 <P>Technically, the security event shouldn't have been declared an incident. So, the incident process should be immediately stopped and moved to <STRONG>post-incident activities</STRONG> for process improvement, aka adjust tooling to fix false positives. The test won't get this detailed though.</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="tmekelburg1_0-1668521199085.png" style="width: 999px;"><img src="https://community.isc2.org/t5/image/serverpage/image-id/6608i1AA772FE22175C16/image-size/large?v=v2&amp;px=999" role="button" title="tmekelburg1_0-1668521199085.png" alt="tmekelburg1_0-1668521199085.png" /></span></P><P>&nbsp;</P> Tue, 15 Nov 2022 14:14:01 GMT https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55181#M36 tmekelburg1 2022-11-15T14:14:01Z https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55193#M37 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/690706113">@tmekelburg1</a>&nbsp;Great diagram but is this really a concept that we would expect someone with little to no experience to understand????</P> Tue, 15 Nov 2022 23:21:07 GMT https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55193#M37 dcontesti 2022-11-15T23:21:07Z https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55198#M38 <P>If you take an simple ISO 27035 perspective, that are a great many security events, which get filtered down into the few that are actual incidents.&nbsp; So if something has been incorrectly called as an incident it should be possible to close it later due to the mistake.&nbsp;&nbsp;</P> Wed, 16 Nov 2022 09:25:59 GMT https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55198#M38 Steve-Wilme 2022-11-16T09:25:59Z https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55201#M39 <P>So on that (really good) diagram should there be a section prior to 'declare incident' that says 'initial triage of security event' to determine whether it is really an incident at all???</P> Wed, 16 Nov 2022 11:36:01 GMT https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55201#M39 RichA69 2022-11-16T11:36:01Z https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55202#M40 Hey, what's the source of your diagram? Thanks Wed, 16 Nov 2022 13:48:12 GMT https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55202#M40 liudvikas 2022-11-16T13:48:12Z https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55204#M41 <P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/320317701">@RichA69</a>&nbsp;Yeah, you could. This diagram is just showing the IR phases and what feeds into it.</P><P>&nbsp;</P><P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/715155969">@dcontesti</a>&nbsp;No, but it was easier for me to describe and show in the diagram how it's all connected. The main thing for the OP to know, related to the test, is to stop the IR process if it's not an incident.</P><P>&nbsp;</P><P><a href="https://community.isc2.org/t5/user/viewprofilepage/user-id/1245028837">@liudvikas</a>&nbsp;<A href="https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf" target="_self">https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf</A>&nbsp;</P> Wed, 16 Nov 2022 13:56:46 GMT https://community.isc2.org/t5/CC-Group/CC-question-in-selfpaced-training-is-confusing/m-p/55204#M41 tmekelburg1 2022-11-16T13:56:46Z