Responding to global security incidents via an integrated alerting and triaging application(通过集成式警报与分类应用应对全球安全事件)¶
Industry Sector: Defense
Business Function: Security
Palantir Foundry’s Global Incident Response offering can improve an organization’s safety and security posture by rapidly implementing a unified, data-driven solution. This solution includes modules for risk scoring, incident triage, accounting for people, managing emergency communications, and understanding and analyzing actions taken. All these tools incorporate baked-in data and privacy protection components, and integrate seamlessly with existing tools, data feeds, and standard operating procedures (SOPs).
Challenge¶
In order to conduct incident response work effectively, security teams are usually forced to choose between an inflexible out-of-the-box system that claims to meet all their needs or custom building a global operations center out of various building blocks in an effort to retain ownership and flexibility.
Moreover, security teams at global organizations are inundated with data about emerging events in a chaotic world, and often struggle to separate signal from noise when trying to understand if or how events may affect the security of their people and assets. Then, when a response is necessary, it can be time consuming or even impossible to identify exactly who may be affected, due to the use of siloed systems used to manage and track different parts of the organization. And no matter how effective a given response is, there is no single source of truth that captures what decisions were made when, and who accessed what data for what purpose.
Solution¶
A global security team has built a comprehensive set of modules, scenarios, and models while retaining the flexibility and control needed to ensure they can meet changing requirements and not be locked in to a single vendor or system.
In terms of workflow solution, Foundry provides a data-driven operational framework for receiving, triaging, and actioning on security alerts.
A security operations analyst (user type) reviews an incident alert inbox to view and triage incidents based on their expected impact to business assets and respond to and resolve each incident requiring response.
A security lead reviews all incident responses and alert triage actions taken based on their time to respond, resolution achieved, and data accessed in the course of responding.

Users and stakeholders¶
- Security Operations (analysts, team leads, etc.)
Impact¶
The main KPIs to track for defining success of the use case are:
- Time to respond.
- Ratio of false positive incident alerts to Responses required.
- Time to resolution.
How it's made¶
The Global Incident Response solution includes modules for risk scoring, incident triage, accounting for people, managing emergency communications, and understanding and analyzing actions taken. All these tools incorporate baked-in data and privacy protection components, and integrate seamlessly with existing tools, data feeds, and SOPs.
Implement a similar use case¶
This use case implements the following Pattern. Follow the link below to read more about a particular Pattern and learn how it is implemented within Foundry.
- Alerting workflow (used for 7 other use cases)
Want more information on this use case? Looking to implement something similar? Get started with Palantir. ↗
中文翻译¶
通过集成式警报与分类应用应对全球安全事件¶
行业领域:国防
业务职能:安全
Palantir Foundry 的全球事件响应方案(Global Incident Response)可通过快速部署统一的数据驱动型解决方案,提升组织的安全防护能力。该方案包含风险评分、事件分类、人员管理、应急通信协调以及行动分析与理解等模块。所有工具均内置数据与隐私保护组件,并能与现有工具、数据源及标准操作流程(SOP)无缝集成。
挑战¶
为高效开展事件响应工作,安全团队通常面临两难选择:要么采用声称满足所有需求的僵化现成系统,要么为保留自主权和灵活性而用各种模块自行搭建全球运营中心。
此外,全球性组织的安全团队常被混乱世界中涌现的事件数据淹没,在判断事件是否或如何影响人员与资产安全时,往往难以区分有效信号与干扰噪声。当需要响应时,由于不同部门使用孤立系统进行管理和追踪,准确识别受影响人员可能耗时巨大甚至无法实现。无论响应措施多么有效,始终缺乏记录决策时间、决策内容以及数据访问目的与访问者的单一事实来源。
解决方案¶
某全球安全团队构建了一套涵盖模块、场景和模型的综合方案,同时保留了满足动态需求所需的灵活性与控制力,避免被单一供应商或系统锁定。
在工作流解决方案方面,Foundry 提供了数据驱动的运营框架,用于接收、分类和处理安全警报。
安全运营分析师(用户类型)通过审查事件警报收件箱,根据事件对业务资产的预期影响进行查看和分类,并对需要响应的事件进行处理和解决。
安全主管则根据响应时间、解决成效以及响应过程中访问的数据,审查所有事件响应和警报分类操作。

用户与利益相关方¶
- 安全运营团队(分析师、团队负责人等)
影响¶
衡量用例成功与否的主要关键绩效指标(KPI)包括:
- 响应时间
- 误报事件警报与需响应事件的比例
- 解决时间
构建方式¶
全球事件响应方案包含风险评分、事件分类、人员管理、应急通信协调以及行动分析与理解等模块。所有工具均内置数据与隐私保护组件,并能与现有工具、数据源及标准操作流程无缝集成。
实施类似用例¶
本用例实现了以下模式。点击下方链接可了解特定模式的详细信息及其在 Foundry 中的实现方式。
- 警报工作流(另用于7个其他用例)
需要获取本用例的更多信息?希望实施类似方案?立即联系 Palantir。↗