We changed our name from IT Central Station: Here's why

Top 8 IT Alerting and Incident Management Tools

xMatters IT ManagementPagerDutyBigPandaEverbridge IT AlertingOpsgenieVictorOpsSend Word NowFortiMonitor
  1. leader badge
    Simple features create flow sets and build APIs for integrations.Workflows and messaging are most valuable. Workflows are very useful. They are important for consolidating information or stopping duplication from happening. We put all the information into xMatters and then the workflow will push the same information in the correct format directly through to other applications that our end users frequently use, such as Slack, email, and Workplace.
  2. leader badge
    It reduces the amount of white noise. If something comes through, then it will alert somebody. However, if it's a bit of white noise that comes through at night, then it gets dealt with the next day. Everything is visible to everybody. It's not just a single person getting an SMS, then going, "Oh, I'm not going to worry about that." The visibility to everybody on the team is one of the great things about it because it reduces the white noise.
  3. Find out what your peers are saying about Everbridge, PagerDuty, BigPanda and others in IT Alerting and Incident Management. Updated: January 2022.
    563,327 professionals have used our research since 2012.
  4. BigPanda integrates well with other solutions, such as WatchGuard,The main thing that we like about BigPanda is the user interface.
  5. The post mortem reports are descriptive, indicating who joined the call and when. A robust solution with multiple modules that can be leveraged.
  6. The integration feature is the most valuable. It provides a lot of customizations for the integrations we use. OpsGenie has many features, such as email notification, SMS notification, roster, tracking of the tickets. Automation, like scripting, is also possible. There are also features for maintaining the history of the tickets and all the solutions related to how it was resolved previously. If there are similar kinds of tickets, we can look at how a person is working on that ticket. If he doesn't have any idea, you can look back at a similar ticket and solve it as the previous person did it.
  7. VictorOps has been good enough for us and it's effective for our needs in case of an on-call escalation process.Transmogrifier and automatic solution report gives me a report with the solution and the way to solve issues when an error occurred.
  8. report
    Use our free recommendation engine to learn which IT Alerting and Incident Management solutions are best for your needs.
    563,327 professionals have used our research since 2012.
  9. The placeholder dropdowns for message templates are useful.​It allows for a systematic and uniform method of alerting personnel in every location.​

Advice From The Community

Read answers to top IT Alerting and Incident Management questions. 563,327 professionals have gotten help from our community of experts.
Evgeny Belenky
Hello security professionals, What is the main difference between these two terms in incident response:  mitigation and remediation. Please share some examples, if applicable. Thanks,
author avatarITSecuri7cfd (IT Security Coordinator at a healthcare company with 10,001+ employees)
Real User

Mitigation is taking your car in for an oil change and tune up. Remediation is them finding you have a blown gasket seal and replacing the parts and greasing the engine to make your engine doesn't blow. AKA security vulnerability management.

author avatarSam M Cohen
Real User

Mitigation is pre-emptive. Remediation is reactive. Others have provided excellent examples.


Mitigation is the implementation of RAID storage. Remediation is the recovery of a failed disk. Both may be needed over the lifecycle, but the level of effort is much higher and the quality of recovery is significantly lower without mitigation - net the cost of doing business is higher without mitigation.

author avatarLuis Apodaca
User

Let say in an IT enviroment:


"Mitigation" moves your virtual machines or containers to another Virtualization server to keep production while you find and solve the problem

"Remediation" is, in fact, finding the problem, solving it, taking notes and preventing it from happening again.

Those are just examples.


 

author avatarRuben Boiardi
Real User

Mitigation is changing the flat tire. Remediation is getting the nails off the road. 

Rony_Sklar
Hi dear community, Can you explain what an incident response playbook is and the role it plays in SOAR? How do you build an incident response playbook?  Do SOAR solutions come with a pre-defined playbook as a starting point?
author avatarMaged Magdy
Real User

Hi,


what an incident response playbook? 


Incident Response Playbook is the guide lines and group of processes, policies, plans, and procedures, along with appropriate oversight of response activities, that  the organization should take to make a proactive response, quick containment, effective remediation and action plan with "what if" scenario in case of certain cyber incident has taken place.




How do you build an incident response playbook?


Regarding to NIST, to build an Incident Response Playbook you need to design the process which contains 4 main phases:


1- Prepare.


2- Detect and Analyze.


3- Contain, Eradicate and Recover.


4- Post-Incident Handling.


*reference, NIST Computer Security Incident Handling Guide:


https://nvlpubs.nist.gov/nistp...


*reference, SANS Incident Handler's Handbook:


https://www.sans.org/reading-r...





Do SOAR solutions come with a pre-defined playbook as a starting point?


- Sure, most of SOAR solutions today comes with predefined templates. However, it's a double-bladed weapon based on Cyber Security Awareness and maturity level of the organization. If it's implemented with no or low maturity level, it may harm the organization production and utilize the resources improperly.



 

author avatarDavid Swift
Real User

Incident Response playbooks detail how to act when a threat or incident occurs. PICERL - Preparation, Identification, Containment, Eradication, Remediation, Lessons Learned (From SANS).  The playbook outlines what to do at each stage.


Typical SOAR playbooks automate the response to detected threats.


- Create a Ticket to Track the Incident


- Identify the source and target


- Confirm the attack is suspicious (SOC Analyst Lookup, On known blacklist? other events?)


- Contain or Clean the Host (EDR, Patch, Update AV...)


- Block the Known Attacker (on a Firewall, IDS, etc...)


- Disable a Compromised Account


- Notify anyone necessary 


SOAR actions include scripts to set or fire off actions on devices.


A playbook usually has a series of actions when a threat/incident is detected.


Most SOARs include playbooks, but they have to be tailored and customized to the specific devices you have in your environment (Palo Alto Firewall vs. Checkpoint, Cylance vs. McAfee EPO...), Ticketing System integration, SIEM/UEBA threat detection integration...

author avatarRobert Cheruiyot
Real User

Hi Rony, 


Playbook automates the gathering of threat intelligence from a myriad of sources of threat intelligence. Playbooks ingest alerts from tools like SIEM and scan the alerts against the threat intelligence sources like VirusTotal and others in order to get information related to the alert. Playbook for example can scan suspicious domains /IPs against virus total and provide reputation score of the domain/IP.


Depending on the workflow, the playbook may be configured to close a case if it's a false positive or pass the case together with threat intelligence gathered to SOC Analyst for further investigation. This way the playbook will reduce time spent on false-positive alerts. Also saves time for analysts by automatically gathering threat intelligence instead of analysts doing that manually. 


Be careful of cases where you set alerts to be automatically closed though. You can try this on some community editions soar platforms: Splunk phantom, SIEMplify ...


Building a playbook


Magdy has provided perfect industry standards for building playbooks. Just a little, the playbook mainly has actions and decisions. Actions: take an action against an alert (like scanning) and based on the results playbook decides what to do with the results: whether to close, do further scanning using other tools, pass it to the SOC analyst and this really depends on your workflow.


I am a junior but I love this SOAR thing.

author avatarSimon Thornton
Real User

For a given incident type, it describes a series of actions that can be a mixture of automated and manual steps. When you start, the steps are often manual. As the playbook and confidence in the steps improve, you can start automating.


For example a playbook for a “suspicious email” might read as:

1) check if the case is already opened for this user and/or asset, if yes go to step 3open case


2) open case and record details


3) extract suspicious attachment


4) generate MD5 and SHA256 hashes


5) submit hashes to Virustotal and record results


6) if 50% (pick your threshold) of AV engines detect the sample skip to step 10


7) forward email attachment to sandbox


8) does a sandbox report indicate suspicious behavior? If yes escalate to T3


9) inform the user


10) open a ticket to IT to re-template PC or fix


11) when you receive a response from IT about the ticket, then close a SOC ticket with relevant closure details


This is a quick illustration of what steps should be included depending on your environment and how far you go. 


Each step could be related to different teams.


IT Alerting and Incident Management Articles

Evgeny Belenky
PeerSpot (formerly IT Central Station)
Nov 19 2021
Hi community members, Spotlight #2 is our fresh bi-weekly community digest for you. It covers cybersecurity, IT and DevOps topics. Check it out and comment below with your feedback! Trending What are the pros and cons of internal SOC vs SOC-as-a-Service? Join The Moderator Team at IT Ce...
Read More »
CristianoLima
Senior IT Infrastructure Engineer at Tecnoage
Nov 05 2021
Keeping up with the evolution of cybersecurity and the threats that are haunting the IT industry across all industries, this text pays special attention to ransomware, as this practice is on the rise in the world of cybercrime. Let's focus on the subject, specifically on the Healthcare sector. ...
Read More »
Netanya Carmi
Content Manager
PeerSpot (formerly IT Central Station)
Oct 14 2021
We receive alerts all day long - alerts about emails, incoming Whatsapps and SMSes, posts on social media, etc. At some point we become desensitized to these alerts and stop noticing them anymore - a phenomenon known as “alert fatigue.” Seventy percent of a SOC analyst’s workday is spent dealing ...
Read More »
Find out what your peers are saying about Everbridge, PagerDuty, BigPanda and others in IT Alerting and Incident Management. Updated: January 2022.
563,327 professionals have used our research since 2012.