Skip to content

Latest commit

 

History

History
88 lines (59 loc) · 5.63 KB

incident-reporting.md

File metadata and controls

88 lines (59 loc) · 5.63 KB

WA SOC Incident Reporting Portal (IRP)

1. Overview

The cyber security incident reporting portal provides a secured login for each Western Australian government agency to:

  • report cyber incidents
  • enable coordination of incident response
  • receive updates on ongoing cyber security events and topics

Portal Overview

1.1 Cyber Incident Response Plan

All agencies should have a Cyber Incident Response Plan (ACSC Practitioner Guidance updated April 2024, pdf also available) defined that clearly outlines the work to ensure an effective response and prompt recovery in the event security controls don’t prevent an incident occurring. This plan should be tested and regularly reviewed.

ACSC also published an excellent ACSC Cyber Incident Response Plan - Word Template - March 2023 (docx) suitable for tailoring to an organisations specific context. The guidance includes some highly relevant appendices:

!!! abstract "Incident Response Appendices"

- Appendix A - Terminology and definitions
- Appendix B - Cyber Security Incident Response Readiness Checklist
- Appendix C - ASD cyber security incident triage questions
- Appendix D - Situation Report Template
- Appendix E - Cyber Security Incident Log Template
- Appendix F - Evidence Register Template
- Appendix G - Remediation Action Plan Template
- Appendix H - Post cyber security incident reviews
- Appendix I - Action Register Template
- Appendix J - Role cards
- Appendix K - ASD Cyber Security Incident Categorisation Matrix

1.2 ACSC Incident Categorisation Matrix

ACSC Incident Categorisation Matrix 2022

2. Getting access

2.1. Logging in to the WASOC IRP

The WA Security Operations Centre - IRP is accessible using any modern browser.

When logging in you will be prompted to use Single Sign On, please do this and Continue with Microsoft for your Atlassian Identity.

3. Creating a Cybersecurity Incident

  • Report a cyber incident - WASOC IRP form
    • Enter the details of your incident
    • Select Share with your organisation
  • SIEM Sentinel incidents will be automatically integrated with the IRP for monitored customers.
  • To manage alerting and integrations, please use the Request Assistance WASOC IRP form

4. Managing your Cybersecurity Incidents

You can view all of your security teams incidents on the Requests page in the WASOC IRP.

The below actions can be taken on your incidents, noting that all standard activities (classification, severity, labeling, comments) should be able to be undertaken in your SIEM and automatically synced to the IRP.

  • Search existing incidents by summary, description or entities
  • Add comment/ updates to an Incident
    • If you add comments in your SIEM they will sync automatically
    • Attachments and Non-SIEM Incidents can be directly commented on in the portal
  • Request assistance
  • Create a post-incident review
    • The WA SOC can review your PIR and provide additional context as needed

4.1. Managing your SIEM Sentinel Analytic Rules

If your team is seeing a lot of false positive detections, please review Handle false positives in Microsoft Sentinel and reach out to the SOC using Request Assistance for further advice.

5. General security advice

For any other SIEM advice, general security problems and questions don't hesitate to reach out to the SOC using Request Assistance. For any urgent incidents please call us on Teams or via phone.

6. Monthly Reporting

The below aggregate statistics are being captured by the new portal and will be available in the SOC monthly reports for your organisation. Monthly reports are under review to align them to the WA Government Cyber Security Policy and the NIST Cyber Security Framework.