Data: fields and data tables

The security incident is focused on data that you capture and control, surrounded by related events and the business context.

You can use fields as data capture points for analysis review and to produce metrics. They specifically support IBM Security Orchestration & Automation features such as incident response actions, reports, list incident views, and analytics dashboards. Fields should be distinct, specific and purposeful.

Data tables are particularly useful for structured “master-detail” data that is observed and managed in an incident, such as: list of affected users with their roles and contact details; compromised machines and their business function and network zone; office locations and resources. They are often used with functions and custom actions, where the information is populated from another security program.

Depending on the integration, users might be able to initiate an action in the remote security program directly from a row in the data table.