Investigating Security Events
Learn how to analyze and respond to security threats.
Systematic Approach
A structured investigation workflow ensures thorough analysis and proper documentation for compliance and future reference.
Investigation Workflow
| Step | Action |
|---|---|
| 1. Detect | Identify the security event |
| 2. Triage | Prioritize by severity |
| 3. Analyze | Review event details and context |
| 4. Respond | Take appropriate action |
| 5. Document | Record findings and actions |
Step 1: Detect & Triage
Security events appear in your dashboard with AI-assigned severity levels.
Event Priority Matrix
| Severity | Response Time | Action |
|---|---|---|
| Critical (🔴) | 0-15 minutes | Investigate immediately |
| High (🟠) | Within 1 hour | Investigate promptly |
| Medium (🟡) | Within 4 hours | Schedule investigation |
| Low (🔵) | Scheduled review | Review during analysis sessions |
AI Severity
CastellanAI analyzes hundreds of factors to assign severity. However, always consider your organization's context when prioritizing.
Step 2: Analyze Event Details
- 📋 Key Information
- 📊 Threat Scores
- 🎯 MITRE Context
Key Information to Review
Click on an event to view comprehensive details:
| Field | What to Look For |
|---|---|
| Event Type | Classification (auth failure, malware, etc.) |
| Affected System | Which host/user/process was involved |
| Timestamp | When it occurred (check for patterns) |
| MITRE Tactics | Which ATT&CK techniques were detected |
| AI Analysis | What CastellanAI identified as suspicious |
| Correlation | Related events in the same timeframe |
Understanding Threat Scores
| Score | Description | High Value Indicates |
|---|---|---|
| Confidence | AI detection confidence | Strong threat match |
| Correlation | Related event strength | Part of larger attack |
| Burst | Activity spike intensity | Active attack in progress |
| Anomaly | Deviation from baseline | Unusual behavior |
Combined Scores
High correlation + high burst scores together often indicate an active attack in progress.
MITRE ATT&CK Context
Each event shows mapped MITRE techniques:
| Information | Purpose |
|---|---|
| Tactic | Attack phase (Initial Access, Execution, etc.) |
| Technique ID | Specific attack method (T1059, T1110, etc.) |
| Description | What the technique does |
| Mitigations | How to defend against it |
Step 3: Use Filters & Search
Apply filters to find related events and build a complete picture:
Useful Filter Combinations
| Filter | Purpose |
|---|---|
| Same Host | See all activity on the affected system |
| Same User | Track user behavior across systems |
| Time Range | Narrow to +/-30 minutes of original event |
| Event Type | Look for auth, process, or network events |
| MITRE Technique | Find events using same attack technique |
Step 4: Take Action
- ⚡ Response Actions
- 📍 How to Execute
Available Response Actions
| Action | Description | Use Case |
|---|---|---|
| Block IP Address | Prevent traffic from malicious IPs | External attacks |
| Isolate Host | Disconnect compromised system | Malware/ransomware |
| Quarantine File | Move malware to secure location | Suspicious files |
| Add to Watchlist | Enhanced monitoring | Suspicious accounts |
| Create Ticket | Escalate to security team | Investigation needed |
Executing Actions
From Event Details:
- Click on any security event
- Review AI-suggested actions in "Recommended Actions"
- Click Execute on the desired action
- Confirm execution in the dialog
From Alert Notifications:
- Click "View Details" link in alert
- Review event context
- Execute appropriate response action
Important
All actions are logged and can be rolled back if needed. Document your reasoning before taking action.
Investigation Best Practices
- ✅ Do's
- ❌ Don'ts
Investigation Do's
| Practice | Reason |
|---|---|
| Document all findings and actions | Audit trail and future reference |
| Check for related events in timeframe | Identify attack scope |
| Consult AI analysis for context | Leverage automated insights |
| Verify with affected users first | Avoid disrupting legitimate activity |
| Review MITRE ATT&CK techniques | Understand attack methodology |
Investigation Don'ts
| Avoid | Reason |
|---|---|
| Dismissing events without investigation | May miss real threats |
| Taking action without understanding impact | Could cause business disruption |
| Ignoring correlated events | May miss larger attack |
| Skipping documentation for "minor" incidents | Compliance and pattern detection |
| Acting solely on AI severity | Context matters |
📝 Investigation Checklist
- Review event details and AI analysis
- Check for correlated events
- Identify affected systems and users
- Review MITRE ATT&CK context
- Determine scope of impact
- Execute appropriate response action
- Document findings and rationale
- Update event status
- Monitor for recurrence
What's Next?
| Guide | Description |
|---|---|
| Taking Action | Available response actions and when to use them |
| Incident Workflows | Standardized workflows for common incident types |
| False Positives | How to identify and reduce false positives |
| Alerts & Severity | Understanding severity levels |