3. Incident Management¶
The first step to investigating the remote host is to collect data from it. This section outlines how to collect data and add it to Cyber Triage® for analysis.
3.1. Incidents and Hosts¶
Cyber Triage® uses the following data management terminology:
An Incident represents an investigation and can contain data from one or more hosts.
A Host represents a computer that is being investigated. There are a variety of ways to get data from hosts into the application.
The basic workflow for adding a host is:
Create a new incident or open an existing one.
Choose the collection method to get data into Cyber Triage®. Details are given below.
Choose the kinds of data you want to collect.
Choose your malware scanner settings.
3.2. Creating an Incident¶
Every host needs to be part of an incident. An incident will have its own good and bad lists and its own database. You can create an incident from the opening Cyber Triage® screen:
Press New Incident and add:
Incident Name: Must be unique and not have special characters
Description: Optional
That will then bring you to the Incident Dashboard:
From here, you can add data from hosts and open existing hosts. We will cover this in Adding a Host.
3.3. Incident Data Storage¶
Here are some basics of where incident-level data is stored:
Each incident will have its own database. Team databases are in PostgreSQL and Standard databases are in the Data Directory.
There is a correlation database that stores signatures, but not all metadata, of items to allow for correlation between incidents and hosts.
File content is stored separately in the “Data Directory” based on hash value, which avoids storing duplicate copies of the same file.
3.4. Deleting an Incident¶
You can delete an incident from the “Open Incidents” panel. Press the “Delete” button once you’ve selected the incident.
This action will:
Delete the incident database
Provide you the option to remove data from the central correlation database
You cannot delete an incident if it is open or currently being processed.