Introduction

Security ticketing is a fundamental process in modern cybersecurity operations, serving as the backbone of incident management and response. This hands-on lab introduces security professionals to the concept of security tickets and ticketing systems, essential tools for managing and tracking security-related events, incidents, and alerts in an organized manner.

In many security environments, particularly in Security Operations Centers (SOCs), security tickets form the primary work queue for Tier 1 and 2 analysts. Understanding how to effectively create, manage, and resolve these tickets is crucial for maintaining a robust security posture and ensuring timely responses to potential threats.

This lab aims to provide participants with practical experience in working with security tickets, focusing on the following key learning objectives:

  • Define and describe security tickets and their importance in cybersecurity operations.
  • Identify and explain the core components of a security ticket.
  • Understand the various resolution paths for security tickets and common follow-up actions.
  • Gain hands-on experience with a security ticketing platform, specifically TheHive, learning how to create, edit, and close tickets within the system.

By the end of this lab, participants will have a solid foundation in security ticketing practices, enabling them to contribute effectively to security operations and incident response processes in real-world scenarios.

Lab Questions and Answers: 1.1 Core Concepts

1. A "security ticketing system" is:

A. A method of issuing tickets for people to enter a secure facility.

B. A tool used to track IT help desk requests related to hardware, software and application problems.

C. A tool used to track IT security requests, events, incidents or alerts that require additional action.

D. A tool used to scan systems and log their vulnerabilities.

Answer: C

2. In which of the following might you find security tickets?

A. IDS alert logs

B. TheHive

C. Firewall logs

D. Ticketmaster (TM)

Answer: B

3. Which of the following metadata fields will tell you whether a ticket has been added to your list of tasks?

A. Assignee

B. Created by

C. Created at

D. Updated by

Answer: A

4. In addition to the results of your analysis, when deciding how to resolve a ticket, what should serve as a primary guide for your actions?

A. Your horoscope

B. Advice found on relevant Reddit threads.

C. Your organization's policies and procedures

D. One of the top 3-5 results when you Google the problem.

Answer: C

Lab Questions and Answers: 1.2 Guided Exercise

1. What is the name of the impacted system in Ticket 1?

Answer: Server-2


2. What is the username of the impacted user in Ticket 1?

Answer: jsmith

3. What is the initial status of the ticket you created?

Answer: New


4. After applying your filter, how many tickets appear in the ticket queue?

Answer: 1

Lab Questions and Answers: 1.3 Challenge Exercise

1. What is the case number for the ticket that contains a discrepancy between the severity of the ticket and the severity listed in the ticket description?

Answer: 4

2. What is the case number for the ticket that should be worked first, based on the actual severity?

Answer: 4

3. What is the case number for the ticket that was created at 7:13 PM 8/29/2023?

Answer: 3


4. What is the case number for the ticket that was started at 6:48 PM 8/29/2023?

Answer: 2

Conclusion

This hands-on lab has provided participants with practical experience in security ticketing basics using TheHive. Through a series of guided exercises, participants explored the fundamental components of security tickets and learned essential skills for managing them effectively.

The lab covered key aspects of ticket management, including exploring ticket details, creating new tickets, adding annotations, reassigning tickets to different analysts, and applying filters to the ticket queue. These activities simulated real-world scenarios that security professionals encounter in operational environments. Participants also practiced the important process of properly closing a ticket, reinforcing the significance of maintaining a clear audit trail.

By completing this lab, participants have gained valuable hands-on experience that bridges the gap between theoretical knowledge and practical application. These skills form a crucial foundation for effective security operations and incident response. As participants continue to develop their expertise, they will find that Proficient ticket management is essential for maintaining an organized and efficient security posture in any organization.