cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted
Contributor I

Re: Event or Incident


@denbesten wrote:
Ask yourself if you have a policy that prohibits receipt of a phishing email.  

As soon as I get one drafted, I'll send it to the threat actors for their signature and acknowledgment! I'm kidding, I know what you mean lol. 

 



If you actively filter bad emails with an "advanced threat protection" system, then bad things getting past it would be an incident.  However, if you depend upon your users to do the correct thing then it would only become an incident if the user reacts incorrectly.


In our case, we filter email and depend on our users to apply their security awareness training skills. Some phishing emails still get through. This could be one of those grey areas where the view point of an incident or event would change between organizations.

Highlighted
Newcomer I

Re: Event or Incident

When I look as the message log on my email gateway, I see a list of emails.  Some were allowed, some were blocked.  I consider all of those to be events.

 

We instruct users to report any malicious emails they receive.  These I create incidents for, so that we can investigate how they made it through our filters and see if there is any action we can take to prevent them in the future.