Detection Finding to Incident Finding Relationship

[Haribu]

Howdy!

My question is about the relationship between detection findings and incident findings.

In my conceptual solution one layer is the "Risk-Based Incident Determination" component, which takes inputs (Detection Findings) and groups them based on similar KV pairs, adding a risk score based on content within each finding (like information related to the impacted identities, assets or threat types). We're trying to work out "when something becomes an incident", and my working assumption is:

1. Detections create Detection Finding, which contains all of the "alert" details, plus anything else added as context while still in the SIEM/XDR/detection capability.
2. Detection Findings could be Informational or relate to high-confidence threats; the important part is grouping detection findings which seem related to the same attack (how they're grouped is a different problem, so let's assume we can group them with some confidence).
3. Is the best class to group them into an Incident Finding? Then using some of the other fields (like Confidence, Impact, Priority, Severity, etc.) to calculate a risk score for the overall "parent" Incident Findings (which contain one or more detection findings).
4. The key is only escalating things that cross a risk threshold to the SOC for semi-automated or human-led action (investigation, response, etc.).
   

This means that an Incident Finding is "anything" that might need an action (automated or human-led) but is only escalated when it crosses the risk threshold due to the combined risk of all related detection findings or context.

Hope that makes sense! Thanks.

[pagbabian-splunk]

Yes, this is basically the intended flow. All findings can be stateful, but whereas Vulnerability Finding, Compliance Finding, and Detection Finding are focused on their respective domains, Incident Finding combines one or more of any of them into something that is the ultimate conclusion with an overal set of scores, a verdict etc.

Because people were wanting the Incident Finding semantics and attributes without having to create another aggregating structure we added the Incident profile which can augment any of the Finding classes to include what Incident Finding has.

Detection Finding has related events, as in your picture above, with some Analytic behind the finding. Incident Finding can aggregate one or more Detection Findings (and other Findings) into one set of things making up the overall incident (e.g. a vulnerability was discovered, and a detection determined it was being exploited).

Therefore Incident Finding has a set of (related) Findings.

But if you just want Incident semantics on a single Detection Finding (or other Finding), you can use the Incident profile rather than creating another event that just aggregates one Finding.

[Haribu]

Great, thank you for your clarification!