A Deep Dive into Automation and Reporting
The last chapter covered two SOAR elements – incident management and investigation. This chapter will continue to drill down into SOAR elements and focus on automation and reporting. With more and more incidents to investigate, SOC analysts are often under pressure to ensure that the MTTA and MTTR meet the organization’s policies. If we also consider that many incidents are similar and that a SOC analyst needs to perform the same actions repeatedly, it reveals why automation is such an important aspect of SOC and why it is a SOC analyst’s best friend.
After looking at automation, we will jump into reporting, including how it can help organizations perform analysis, and how we can utilize it to hunt through data. We will then wrap up this chapter by focusing on Threat Intelligence (TI) and Threat and Vulnerability Management (TVM) and how they can enrich a SOC’s investigation with invaluable data.
In a nutshell...