Chris wrote: > For audit and compliance, we are being asked to provide documentation on > what steps are taken for every IDS alert. (i.e. was it an incident and > what steps were taken, was it a false positive, and what steps were > taken, etc.)
AFAIK, ISS's products won't cover this kind of granular, day-in, day-out activity. You'd be better served with any of a number trouble ticketing / issue resolution systems, since the activity you're describing will never end. To automate, I'd use ISS's alerting system to open tickets -- have the sensors e-mail the ticketing system the pertinent information, and make liberal use of the quiet time and issue coalescing functionality. Less automatic, but more flexible, would be to institute a published shift report (a good example is the ISC/SANS incident handler's diary, here: http://www.incidents.org/diary.php ). -- Tod Beardsley | www.planb-security.net _______________________________________________ ISSForum mailing list [EMAIL PROTECTED] TO UNSUBSCRIBE OR CHANGE YOUR SUBSCRIPTION, go to https://atla-mm1.iss.net/mailman/listinfo/issforum To contact the ISSForum Moderator, send email to [EMAIL PROTECTED] The ISSForum mailing list is hosted and managed by Internet Security Systems, 6303 Barfield Road, Atlanta, Georgia, USA 30328.
