The thin line between an event and an incident. The question is when becomes an event and an incident?

Yes, I can already hear most people thinking/saying an event becomes an incident at the moment the detection use case has triggered. But is it this black and white? Or do we unnecessarily complicate it with processes, procedures, and responsibilities?

Richard de Vries
Tales from a Security Professional
5 min readJun 12, 2021

--

Within the cybersecurity industry, we use words like event, alert, notification, and incident. I will clarify these words first before continuing to answer the question.

  • An event contains information about something that has happened. For example, a user logs into a host via SSH.
  • A notification is generated when a use case has triggered. For example, a user logs into a host via SSH from a malicious IP address. The use case is to detect any traffic to and from malicious IP addresses and when the SSH protocol is used.
  • An alert is a true positive notification. The SOC will analyze and assess all generated notifications and classify them either as a true positive or false positive.
  • An incident is raised when events connected to an alert contain potentially…

--

--

Dedicated security expert sharing wisdom and experience to enhance global safety, one insightful lesson at a time. 🌐🔒 #SecurityPassion