What is event, incident, alert & notification
How many alerts creates incident? How does the event relate to the alert? What is the difference between notification and alert? Such questions are often found on IT users forums. And although the difference is obvious to a skilled administrator, differences in approach often lead to misunderstandings. There is a great freedom of interpretation of what an event, alert, incident, notification is and what are their relationships.
Threat researcher David Miessler proposes a division based on business impact for the company. Since everything is ultimately measured by the company’s ability to generate value, this division allows us to quite precisely define the boundaries between terms mentioned in the title. It accurately describes the differences between an event, alert and incident – but it skips the notification. When we add this definition, we get the following division (it should be noted that it is not an officially adopted standard):
Event and Incident is information about activity, what happened, who took part in it, what type of connection was, where it came from.
This is an observed change in normal device / system / process / user behavior. Basically all logs are events.
An example of an event can be:
- update of the firewall management software version,
- logging in to the system by the user,
- the administrator’s connection to the router.
This is an event that negatively affects the company’s business activity. Most often, an incident starts with an alert triggered by an analyst or system that qualifies it as an incident. It is possible to raise the rank without raising an alert – based on the administrator’s decision. An incident may consist of several events.
The method of notification about the activity – how the administrator / recipient is notified about the activity:
This is usually quite broad information that can be classified according to the Eisenhower Matrix as “IMPORTANT-NOT URGENT” or “IMPORTANT-NOT URGENT” – information that:
- are not classified as representing a risk,
- are not a behavioral anomaly,
- do not require a quick response, e.g. checking.
They are often shown in a different system window than alerts.
It is a special, urgent notification about the occurrence of a specific event (or series of events) that is sent to responsible parties to initiate an action. An alert is something that a device (SIEM, firewall, DLP) has to notify you about based on the security rules you have programmed. An alert may be related to several events.
Alerts typically appear pop-up, highlighted, or otherwise listed.
- 5 unsuccessful login attempts to one account,
- connection from an unknown IP during hours outside of business activity,
- attempt to send by e-mail more than 5 records classified as personal data.
Border: What behavior do we consider normal?
- A suspicious event will trigger – à ALERT
- Qualifying an event marked with an alert as a threat – à INCIDENT
- The analyst can spot a suspicious event himself and start an – à INCIDENT
Considerations above can be briefly summarized: Every incident is an event, but not every event is an incident.The analyst goes through the events, first of all those with generated alerts and, based on his knowledge, qualifies what is considered an incident and what is false-positive. On the other hand, notifications add context to it during the general analysis of events.
- According to ITIL, an event can be defined as any detectable or discernible event that is relevant to the management of the IT infrastructure or the provision of IT services and to assess the impact that a derogation may have on services. Events are typically notifications created by an IT service, configuration item (CI), or monitoring tool.
- NIST and CERT define an incident as a breach of explicit or implied rules and in my opinion it is too common in most organizations to be of practical use.
When deciding on how broad or narrow a definition to use, consider that all incidents should result ina well-organized incident response process. If you cannot do this, because there are thousands or millions of them daily or weekly, adjust your definition accordingly or significantly change your security strategy.