Security Incidents often have an assessment performed to determine their root cause.  A lifecycle is associated with an incident, and provides both the reported and detected time and the associated interval (time period).   Other important information is “who is taking action”, “what actions are and have been taken”, “who is affected”, and “whether the incident is an exercise or real”.  Trouble tickets can be attached to Security Incidents. <br/>In order to perform incident analysis and trending, it is important to capture how the incident happened, what threat actor caused it, and how “bad” the damage is.  <br/>The underlying event data, often captured by sensors/observers, are provided for additional analysis. <br/>