Recover
We covered how to respond to an incident in Chapter 7. This included collecting log files, creating policies and procedures for how to categorize and respond to an incident, creating a crisis communications plan, and developing an ICA and PCA. To wrap all of that up, we need to create documentation or a synopsis of the event and what occurred. This timeline will include several types of information and must be protected.
First, we need to analyze the log files that come into our SIEM to determine whether or not the incident is to be considered an adverse event. We must develop rules in our SIEM to pick up on signatures or characteristics of adverse events within our environment. Once a signature has been triggered, we need to determine the threshold or criticality of the event.
If the event has been determined as an incident, we need to enact our incident response plan. This plan will engage the incident response team to begin triaging the incident. This will require...
