Just to add few cents to the previous discussion, agreeing with what's been mentioned.
It is usually a best-practice/compliance requirement to have events & potential incidents reviewed on a daily basis and addressed accordingly. Post-review those would be classified and given a priority (resolution target as well).
If you have a formalized SOC/CSIRT setup, than having track of incidents for e.g. the purpose of KPI tracking/analysis might be needed.
------------------------------
Dusan VIDOVIC
------------------------------
Original Message:
Sent: 03-07-2019 02:36 AM
From: Dietger Bahn
Subject: Baking Offenses
Lance,
when Offenses don't get any attention in a timely manner, they're not relevant at all and they need to get rid of them. A Saved Search and/or a Report might be more fitting for such Use Cases. I faced many clients which outsourced their SOC responsibilities. Here it all depends on negotiated SLA (or OLA if internal). Wrong too: Getting charged by amount/number of Offenses being created within such a contract.
Your described scenario might would be relevant again, if using an Incident Response solution in addition. For example Resilient. Then you might keep Offenses like a kind of monitoring component, but rather keep working on related Security Incidents within the Incident Response solution connected to QRadar. Offenses then are receiving an annotation and you have a kind of tracking even if they got closed untouched.
Regards,
Dietger
------------------------------
Dietger Bahn
Original Message:
Sent: 03-06-2019 05:07 PM
From: Lance Bennett
Subject: Baking Offenses
For anyone. How much time should be allotted for an offense to be responded to? I understand that this is subjective and may be different times for specific offenses. The company I work for uses an off shore team to address level 1 and level 2 threats. I often see offenses that have been baking for a month. Does anyone have any advice or recommendations for offenses being assigned,worked, and closed in a timely manner. I realize they become inactive after 5 days but letting them sit there for a month is ridiculous. Thoughts???
------------------------------
Lance
------------------------------