Indicator Management Best Practices

For Tier 1 SOC analysts to manage the indicators generated by Cytomic Orion according to their severity, follow these tips. For more information about how to use the grouping and filtering tools, see Tools for Configuring Lists.

• Order indicators by created date. You can do this by double-clicking the Last event column name to show the most recent indicators first.

• Filter indicators by status to easily find indicators with the status Pending.

• Add a grouping by the Risk column. The Critical group contains the most dangerous indicators for the organization and those most likely to need to be added to an investigation.

• To review all the indicators generated by a hunting rule, group them by dragging the Hunting Rule column to the grouping bar. It is quite probable that one hunting rule generates several related indicators

• To review situations where a hunting rule continuously generates a very high number of indicators, sort entries by the Occurrences in the last hour column.

• Check the Details column for indicators because it contains a description of the hunting rule that generated the indicator. Using the name and the Details column, an analyst can determine the starting point for triage or for the investigation. If this column is not shown in the Indicators list, follow the steps listed in Add or Remove Columns.

• Group rules according to their tactic and technique to assign them to technicians specialized in specific attack strategies.