3. Incident Management

The first step to investigating the remote host is to collect data from it. This section outlines how to collect data and add it to Cyber Triage® for analysis.

3.1. Incidents and Hosts

Cyber Triage® uses the following data management terminology:

  • An Incident represents an investigation and can contain data from one or more hosts.

  • A Host represents a computer that is being investigated. There are a variety of ways to get data from hosts into the application.

The basic workflow for adding a host is:

  1. Create a new incident or open an existing one.

  2. Choose the method to get data into Cyber Triage®. Details are given below.

  3. Some methods will require you to choose the kinds of data you want to extract.

  4. Choose your malware scanner settings.

3.2. Creating an Incident

Every host needs to be part of an incident. An incident will have its own good and bad lists and its own database. You can create an incident from the opening Cyber Triage® screen:

../../_images/import_inc_add1.png

Opening Cyber Triage Panel

  1. Press Add New Incident and add:

    • Incident Name: Must be unique and not have special characters

    • Description: Optional

../../_images/import_inc_add2.png

New Incident Form

  1. That will then bring you to the Incident Dashboard:

../../_images/import_inc_dash.png

Incident Dashboard

From here, you can add data from hosts and open existing hosts. We will cover this in Adding a Host.

3.3. Incident Data Storage

Here are some basics of where incident-level data is stored:

  • Each incident will have its own database. Team databases are in PostgreSQL and Standard databases are in the Data Folder.

  • There is a correlation database that stores signatures, but not all metadata, of items to allow for correlation between incidents and hosts.

  • File content is stored separately in the “Data Folder” based on hash value, which avoids storing duplicate copies of the same file.

3.4. Deleting an Incident

You can delete an incident from the opening panel. Press the “Delete” button once you’ve selected the incident.

This action will:

  • Delete the incident database

  • Provide you the option to remove data from the central correlation database

You cannot delete an incident if it is open or currently being processed.