Triage an incident - Windows Tutorial

- [Instructor] The first steps help desk agents need to take when a ticket enters their inbox is to read it, tag it by topic or urgency, and route it to the right person or team. This process is known as ticket triaging, and it helps streamline workflows and can one day save your company from malware outbreaks or other serious potential problems. An incident comes in. What do we do next? Well, first we need to find out, does this affect everybody or the majority of people, or is it just affecting one or a few staff? Well, if it's just affecting one or a few staff, then it's probably going to be registered as a low or medium ticket, so we'll need to create that ticket and then contact the user and resolve the issue. But what if it affects a lot of people? If it affects all or a lot of the people at the company, then it's going to be a high priority ticket. You're going to need, of course, to create that ticket and escalate as needed, and that's because you might need to get multiple people involved. After the escalation and the resolution, then you can go ahead and close the ticket and then document the incident. When I was a help desk agent and then later on managed staff in my own company, I would train myself and my staff to triage an incident based on several factors. What is the issue? Open a ticket, if not already done. Many times issues come in over a web portal, so the ticket may be automatically created, or it may come in by text or email. In those cases, I would need to create the ticket myself. How many people are affected? Is it a single person, a few, an entire department, or the entire company such as an internet outage? The more people affected, the higher the priority should be. Will this issue spread if not resolved quickly? If this issue is malware related, then I would need to bring in all hands to discuss shutting down access to servers or shut down the servers themselves. I may also want to bring down internet connectivity. These are important decisions that help desk staff by themselves won't be able to make on their own but will be able to quickly escalate as sort of an IT fire alarm. Let's take a real-world situation, one that you'll probably experience multiple times in your career, and that is an unknown virus breaks out. There's talk of data files being deleted by the thousands off computers and servers. What do you do, and what do you do in what order? And, of course, what do you not do? Take a look at these different options that you have. You can inform everyone in the company of the outbreak, shut down all the PCs and servers, discuss the situation, document the incident and resolution, let the staff continue to work, use an isolated PC to send a sample file to the antivirus company, apply new antivirus patches to each computer, and unplug the network switches. All of these, except for one, are things you're going to do, however, they're all out of order. So what you can do now is pause the video, get out a piece of paper or anything else that you use to document, and write down what you would do in what order and what you would not do. Then go ahead and restart the video, and I'll give you the answers along with the explanation. (upbeat music) I hope you gave it a lot of thought because of the fact that it is going to happen in many different situations in your career. So let's take a look at the first one. Discuss the situation with your boss and department heads. Why do you want to do that first? Well, that's because you don't have the authority to go in and shut down all the servers, shut down the internet, turn off all the computers, and announce to everyone the problem. You need to let the people in charge who own the company, who are in charge of the company, make those decisions or you could be in real trouble. The next thing you should do is inform everyone in the company of the outbreak and severity. Now, this is going to vary by the size of the company and the way that the company disseminates information out to all the users. It may be an overhead announcement, it may be the department heads visiting each of the users in their department, or some other manner. The next thing to do would be, once everyone's informed, to unplug the network switches for the entire company once you get authorization to do that. The reason you want to unplug the network switches is because, that way, you're not going to be able to allow any computers to communicate with any other computers, so they cannot cause any type of spread of the malware. Then you want to shut down all the PCs and servers. Now, this can happen at the same time as you're unplugging the network switches. So when the department heads or when the overhead announcement comes out saying that there is some malware and that we need to shut down our computers, you can be unplugging the network switches at the same time. However, you may beat everyone to the punch by unplugging those network switches first. After the PCs and servers are all shut down in a graceful manner, you want to use an isolated PC to send a sample file to the antivirus or anti-malware company. Now, I've had this happen multiple times where my company was one of the first ones to receive a piece of malware, and there were no antivirus signatures to kill off that virus, so we needed to call up the anti-malware company, whether it be Microsoft or any third-party company, and discuss the situation with them so they can write an antivirus signature that we can then distribute out to all of the users' computers. Then we need to apply the new antivirus patch to each computer. Now, keep in mind, I did not yet plug all the network switches back in. You're going to have to go to each computer individually because if you plug the network switches back in, then that virus could spread, and files could be corrupted or deleted. Then we want to document the incident and resolution. Make sure you do that because you never know when a similar incident may happen again. And what you do not want to do is let the staff continue to work until the issue is resolved. I hope you did well in setting up your real-world situation so you're prepared when it happens to you. And if not, that's okay. I've given you the answers, so now you know what to do. Triaging incidents in your company can make the difference between a minor setback and a major problem.