Incident and Risk Management

Incident tracking, risk assessment, and response playbooks within the SIEM module.

Incident Management

Navigation: ELS Console → SIEM → Incidents

The Incidents tab displays all triggered alert incidents in a time-filtered, searchable table. Each incident row contains the following information:

Column

Description

Timestamp

Time when the alert was triggered

Assignee

User assigned to handle the incident

Status

Current incident status

Risk Value

Calculated risk score

Incident Statuses

Each incident has one of the following statuses:

  • New — incident has been created but not yet reviewed

  • Ongoing — incident is being actively investigated

  • False — incident has been identified as a false positive

  • Solved — incident has been resolved

Incident Actions

For each incident you can:

  • Update status — change the incident status

  • Assign user — assign a team member to handle the incident

  • Add notes — attach investigation notes and comments

  • Verify against blacklist — check incident fields against the blacklist index (single field or whole document)

  • View document — inspect the original alert document

Manual Incident Creation

Navigation: ELS Console → Discover → Incident (top right)

Incidents are typically created automatically when alert rules are triggered. Additionally, you can create incidents manually from the Discover interface by clicking the Incident button in the top-right corner. This allows you to flag suspicious events found during manual log analysis.

Risk Management

Navigation: ELS Console → SIEM → Risks

Risk management allows you to categorize and score entities (users, hosts, IPs) by mapping field values to risk categories. The Risks tab has four sub-tabs: Create Category, Category List, Create Risk, and Risk List.

Risk Categories

A risk category defines a named risk level with a numeric value from 0 to 100.

Creating a category:

  1. Go to the Create Category sub-tab.

  2. Enter a Category name (e.g., “Critical Assets”, “High Risk Users”).

  3. Set a Category value (0–100), where higher values represent higher risk.

  4. Submit the category.

Note

A default uncategorized category with value 0 is created automatically on plugin initialization.

Risk Entries

A risk entry maps a specific field value from your data to a risk category.

Creating a risk entry:

  1. Go to the Create Risk sub-tab.

  2. Select an Index pattern and Time range to load available data.

  3. Choose the Key field (e.g., source.ip, user.name).

  4. The system loads unique values for the selected field from the index.

  5. Map each value to a risk category.

Risk Scoring on Alert Rules

Each alert rule can include risk scoring configuration:

  • Risk Key — the field used to calculate risk (e.g., source.ip)

  • Multiple risks aggregation — how to combine multiple risk values: MAX, MIN, AVG, SUM, or CUSTOM

  • Risk boost [%] — a percentage multiplier applied to the calculated risk score (default: 100)

When an alert triggers, the system looks up the risk value for the entity identified by the Risk Key field and applies the aggregation method and boost percentage to calculate the final risk score. This score is visible in the Incidents tab.

Playbooks

Navigation: ELS Console → SIEM → Playbook

Playbooks provide a way to document response procedures and attach executable scripts to alert rules. The Playbook tab has two sub-tabs: Create Playbook and Playbook List.

Creating a Playbook

  1. Go to the Create Playbook sub-tab.

  2. Fill in the following fields:

    • Name — descriptive name for the playbook

    • Text — response procedure description (e.g., investigation steps, escalation instructions)

    • Script — executable script content to be run when the playbook is invoked

  3. Submit the playbook.

Managing Playbooks

The Playbook List sub-tab displays all created playbooks in a table. Available actions for each playbook:

  • Show — view playbook details

  • Update — edit the playbook name, text, or script

  • Delete — remove the playbook

Associating Playbooks with Alert Rules

Playbooks are linked to alert rules through the alert creation form:

  1. When creating or editing an alert rule (SIEM → Alert Rules → Create Alert Rule), enable the Playbooks toggle.

  2. Select one or more playbooks to associate with the rule.

  3. When the alert triggers, the associated playbooks are available for the incident responder to reference and execute.