NIST state for Security Incident Response

Prashant64 · 3 weeks ago

While implementing Security Incident Response using NIST Stateful in Process Definition. Can we move back (for example) can move to Contain from Review State. Kindly provide any information.

RaghavSh · 3 weeks ago

OOB - No

Raghav
MVP 2023
LinkedIn

bsmolski · 2 weeks ago

Hello @Prashant64,

Broadly no, but there are some exceptions such as "Eradicate" to "Contain" or "Recover" to "Eradicate". Here are the list of possible movements:

Draft > Analysis, Contain, Eradicate, Recover
Analysis > Contain, Eradicate, Recover
Contain > Eradicate, Recover, Review, Closed
Eradicate > Contain, Recover, Review, Closed
Recover > Eradicate, Review, Closed
Review > Closed
Closed > none
Cancelled > none

These are all defined in the sn_si.ProcessDefinition_NIST_Stateful script include. This can be modified but this is considered a customisation and is not recommended. For more flexibility, I'd suggest adopting the NIST Open process, as this allows transitioning to any state without restriction throughout the Security Incident lifecycle. This can be updated here:

All > Security Incident > Administration > Process Selection

Please consider making my posts as "Helpful" or hitting the Thumb Icon and marking as "Correct". Thanks!