Investigating Security Events
Learn how to analyze and respond to security threats.
Investigation Workflow
When CastellanAI detects a potential security threat, it's important to investigate promptly and systematically. This guide walks you through the investigation process from initial detection to resolution.
| Step | Action |
|---|---|
| 1 | Detect - Identify the security event |
| 2 | Analyze - Review event details and context |
| 3 | Respond - Take appropriate action |
| 4 | Document - Record findings and actions |
Step 1: Detect & Triage
Security events appear in your dashboard with AI-assigned severity levels. Start by reviewing high and critical severity events first.
Event Priority Matrix
| Severity | Response Time |
|---|---|
| Critical (Red) | Investigate immediately (0-15 min) |
| High (Orange) | Investigate within 1 hour |
| Medium (Yellow) | Investigate within 4 hours |
| Low (Blue) | Review during scheduled analysis |
CastellanAI analyzes hundreds of factors to assign severity. However, always consider your organization's context when prioritizing.
Step 2: Analyze Event Details
Click on an event to view comprehensive details including MITRE ATT&CK mapping, AI analysis, and related events.
Key Information to Review
- Event Type - What type of security event occurred (auth failure, malware detection, etc.)
- Affected System - Which host/user/process was involved
- Timestamp - When did the event occur (check for patterns)
- MITRE Tactics - Which ATT&CK techniques were detected
- AI Analysis - What did CastellanAI identify as suspicious
- Correlation - Are there related events in the same timeframe
Step 3: Use Filters & Search
Apply filters to find related events and build a complete picture of the incident.
Useful Filter Combinations
| Filter | Purpose |
|---|---|
| Same Host | Filter by hostname to see all activity on the affected system |
| Same User | Filter by username to track user behavior across systems |
| Time Range | Narrow to +/-30 minutes of the original event |
| Event Type | Look for authentication, process creation, or network events |
Step 4: Take Action
Based on your investigation, take appropriate action to contain and remediate the threat.
Response Actions Available
| Action | Description |
|---|---|
| Block IP Address | Prevent traffic from malicious IPs |
| Isolate Host | Disconnect compromised system |
| Quarantine File | Move malware to secure location |
| Create Ticket | Escalate to security team |
All actions are logged and can be rolled back if needed. Document your reasoning before taking action.
Investigation Best Practices
Do's
- Document all findings and actions taken
- Check for related events in the same timeframe
- Consult AI analysis for additional context
- Verify with affected users before taking disruptive action
Don'ts
- Don't dismiss events without investigation
- Don't take action without understanding impact
- Don't ignore correlated events
- Don't skip documentation for "minor" incidents
What's Next?
- Taking Action - Learn about available response actions and when to use them
- Incident Workflows - Establish standardized workflows for common incident types
- False Positives - Learn how to identify and reduce false positive alerts
Master Security Investigation
Effective investigation is key to maintaining strong security. Practice these workflows regularly to build muscle memory for incident response.