IR Flow provides distinct workspaces for alert and incident handling. The alert handling workspace, or “Triage Queue,” is designed to enable rapid inspection of alerts by analysts and facilitate a rapid decision as to whether or not the alert is a false positive or a true positive.
Inbound alerts are scored automatically by IR Flow’s patent-pending Triage Scoring Engine. IR Flow models business risk in the context of a customer’s enterprise and uses this model to dynamically score alerts during the triage process. This enables critical alerts to be identified more rapidly, thereby improving the effectiveness of limited analyst resources and enabling better security outcomes, such as reduced time to containment and remediation.
Each alert in the Triage Queue has a unique Playbook or “checklist” of steps that need to be taken to either validate the alert as a true positive or close the alert as a false positive. These steps typically consist of reaching out to other systems for additional data to enrich the alert, such as validating a file hash across multiple Threat Intelligence platforms or identifying an asset with a CMDB lookup. The goal is to accelerate the decision-making process for closing, escalating or parking an alert for further investigation.
Once an alert has been validated as a true-positive, it is manually or automatically escalated to an incident. This blended approach enables security teams to reap the benefits of automation, while still retaining human judgment and insight where it makes sense. This approach materially reduces risk vs. simply automating a response process for every alert type regardless of the potential for infrastructure compromise, credential theft, and/or data breach.
The Triage Queue also comes with the ability to easily create custom filtered views for each analyst and provides advanced features such as alert de-duplication and the ability to build actions (rules) to automatically close or escalate alerts. IR Flow also provides the native ability to monitor a mailbox for user-submitted phishes and to automatically perform most of this analysis prior to presenting the alert to a human analyst for validation.