Book Image

Security Orchestration, Automation, and Response for Security Analysts

By : Benjamin Kovacevic
Book Image

Security Orchestration, Automation, and Response for Security Analysts

By: Benjamin Kovacevic

Overview of this book

What your journey will look like With the help of this expert-led book, you’ll become well versed with SOAR, acquire new skills, and make your organization's security posture more robust. You’ll start with a refresher on the importance of understanding cyber security, diving into why traditional tools are no longer helpful and how SOAR can help. Next, you’ll learn how SOAR works and what its benefits are, including optimized threat intelligence, incident response, and utilizing threat hunting in investigations. You’ll also get to grips with advanced automated scenarios and explore useful tools such as Microsoft Sentinel, Splunk SOAR, and Google Chronicle SOAR. The final portion of this book will guide you through best practices and case studies that you can implement in real-world scenarios. By the end of this book, you will be able to successfully automate security tasks, overcome challenges, and stay ahead of threats.
Table of Contents (14 chapters)
Part 1: Intro to SOAR and Its Elements
Part 2: SOAR Tools and Automation Hands-On Examples

Investigation starting point – incident investigation page

At the beginning of this chapter, we discussed incident management and the incident queue, which contains a list of security incidents that have been detected. Those incidents contain specific information, such as ownership, status, severity, events leading to incident detection, and so on. We also mentioned that it is essential that the incident queue has a clean UI that is easy to read and navigate and doesn’t contain much data. The SOC analysts must only be able to see the most important details of the incident on the incident queue.

But what about when a SOC analyst needs to see more data? How can SOC analysts investigate the incident?

For this reason, we must have an incident investigation page with more detailed information about the incident. In this view, we should be able to drill into the incident and investigate it.

OK, but isn’t it easier to have it all on one page? The main UI goal...