Incident tracking
This section captures general information about the incident. The main purpose is allow organizations to identify, store, and retrieve incidents over time.
Incident ID
Question text: Incident or case ID
User notes: N/A
Question type: text field
Variable name: incident_id (string)
Purpose: To uniquely identify incidents for storage and tracking over time.
Developer notes: We recommend auto-generating IDs rather than prompting the user to create/submit one. If you plan to share incident with others, we suggest not making your org's name part of the incident ID (e.g., verizonBreach_00001).
Miscellaneous: N/A
Source ID
Question text: Source or handler ID
User notes: N/A
Question type: text field
Variable name: source_id (string)
Purpose: Associate an incident with an entity that is handling or reporting it. This may be a CERT, law enforcement agency, consortium body, or some other custodian/aggregator of incident data. If the incident is handled or reported by the victim, this field is unnecessary (the victim_id will suffice).
Developer notes: N/A
Miscellaneous: N/A
Incident confirmation
Question text: Was this a confirmed security incident?
User notes: “Security incident” refers to any incident/event/occurrence/issue (or whatever) that compromises (or negatively affects) a security attribute (C-I-A) of an information asset in any form. This is an intentionally broad definition. In the case of false positives or “near misses” (unsuccessful attacks), the schema allows you to record the actor, action, and asset involved while leaving the attribute blank (since ascribing an attribute would imply the asset was negatively affected…which would mean it qualifies as an incident).
Question type: enumerated list (single-select)
Variable name: security_incident (string; enumeration)
Purpose:
Developer notes:
Miscellaneous:
Designates confirmed incidents from those that are suspected or known non-incidents. One could, if desired, record information on a significant (but unsuccessful) attack while maintaining the ability to remove it from incident rollups and reporting (if desired).
N/A
N/A
Incident summary
Question text: Please provide a brief summary of the incident.
User notes: For each major event or phase in the incident, try to convey “who did what to what/whom with what result?” with as much detail as you deem appropriate. Consider, for example, the following scenario:
“Event 1: External attacker sends phishing email to victim employee to gain admin credentials. Event 2: Employee visits web link in the phishing email and downloads a keylogger to their desktop. Event 3: Attacker uses stolen credentials to access corporate network via legitimate remote access software and searches for sensitive data. Event 4: Attacker installs a backdoor program and a packet sniffer on a web server to capture card data and store it locally. Event 5: Attacker returns via backdoor and exfiltrates the data.”
Question type: text field
Variable name: summary (string)
Purpose: Though the purpose of VERIS is to describe an incident using a structured format, capturing a short free-form narrative is still very useful for many reasons.
Developer notes: N/A
Miscellaneous: N/A
Incident notes
Question text: General incident notes:
User notes: Use this field to record general information, observations, etc about the incident that are not captured by fields specified within VERIS. Each section has a similar place to record notes, and information specific to certain aspects of the incident (e.g., the threat actor involved) should be recorded in the appropriate section.
Question type: text field
Variable name: notes (string)
Purpose: Record general information, observations, etc about the incident that are not captured by fields specified within VERIS.
Developer notes: N/A
Miscellaneous: N/A