Why should you use automation for incident enrichment?
When a new incident/case is detected, we first need to triage to check whether it is a true or false positive. In many cases, there are usually steps that SOC analysts perform when investigating new incidents. One example is if there is an IP address involved in the incident, SOC analysts will go to the Threat Intelligence blade to see whether it is malicious, or to external products such as VirusTotal or Microsoft Defender Threat Intelligence (MDTI), also known as RiskIQ. This takes SOC analysts’ time, and they need to do it every time there is an IP involved in an incident, or more than one IP, which can take a few minutes for each incident. With the number of incidents increasing daily, this can mean hours lost in the SOC every day.
But what if we can perform that step even before SOC analysts pick up the incident for investigation?