Chapter 7: SIEM & SOAR
Security Operation Automation
Repetitive tasks can be automated to handle security incidents faster.
Security Incident Response
SOAR includes tools that respond to security-related incidents.
SOAR
Security Orchestration, Automation and Response
What is a Playbook?
- A flow of actions designed to reduce the need for human intervention in repetitive tasks. - Playbooks can be fully automatic or defined to require human intervention at critical decision-making points. - Playbooks work with conditions for many types of scenarios.
Triage & Identification
- A way to identify and prioritize alerts. - SOAR triage is used in addition to the triage performed by the SIEM platform. - Solves the issue of what is considered critical.
Demisto Playbooks
- Able to carry out the entire incident lifecycle. - Can even be followed by junior analysts. - Tasks can be assigned deadlines.
Correlation Alerts
- Alerts from different events, correlated to a single result. - Indicate similar suspicious behavior among various system products.
What is an Alert?
- An informative message. - Indicates a possible anomaly, threat, or attack. - Based on predefined criteria or rules.
Aggregation Alerts
- Consolidate logs with identical content in predefined fields and specific time frames. - Detect attacks like brute-force and port scanning.
Demisto
- Demisto is a SOAR platform from Palo Alto. - Dozens of built-in, customizable automations. - Integrates with various technologies via API.
What is SOAR?
- Designed to reduce the need for human intervention during IR. - Receives incidents from various systems (not just SIEM). - Executes automations as incident response functions.
SOAR Benefits
- Eliminates the need for tier 1 analysts. - Reduces response time to incidents. - Saves time and money.
Types of Alerts
- Internal/External Attacks - Compromised User Accounts and Workstations - Abuse of Privileges - Fraud
How SOAR Works
- Like SIEM, SOAR receives events from multiple sources. - SOAR automates actions upon detection of specific events.
Incident Case Management
- Open and close cases without human intervention. - Integrate with other case management systems. - Some SOAR solutions use a ticketing method.
Anomaly Exploration
- Studies environment trends. - Looks for any deviation from the norm. - Detects suspicious behavior. - Uses a timeline to study behavior.
Creating Playbooks
- To create a new playbookin Demisto, click the Playbooks icon in thesidebar on the left. - Then click + New Playbook in the top right corner.
Dashboards
- Various dashboards can be created in Splunk. - Granular dashboard configuration via SPL or XML. - Splunk has plugins for certain types of dashboards.
Alert Flow
1- Log Inspection 2- Rule Definition 3- Rule Testing 4- Fine Tuning 5- Production
SOAR Features
1- Security Incident Response 2- Security Operation Automation
Real-Time Anomaly
1. The host 2. The source 3. The sampled time span 4. Searched parameter 5. Statistics filter 6. Condition [The query in the picture will display scanned logs of a website and report if the response was the 403 or 404 code more than 100 times, over a period of five minutes.]
Alert Generation: One or More Events
Alert-generating products have built-in alerts that have been tested in active systems.
Alerts
Can be sent via email, SNMP, syslog, automatic scripts, or directly to situation management systems.
Rule Definition
Create a rule to match the specific behavior.
Log Inspection
Identify malicious activity from logs
Fine Tuning
Reduce false positives by fine-tuning the alert.
Alert Generation: Monitor Events
Suspicious events in an organization trigger alerts that are handled by a SOC team.
Production
The alert is ready and waits to be triggered by an attacker.
Event Dashboard
The picture shows a graph line dashboard that covers a single day.
Rule Testing
Verify that the rule matches the attack pattern.
What is a SOAR stack?
is a data structure that stores a collection of objects to improve security operation efficiency.