Security Orchestration, Automation, and Response for Security Analysts

By : Benjamin Kovacevic

5 (1)

Buy this Book

Security Orchestration, Automation, and Response for Security Analysts

5 (1)

By: Benjamin Kovacevic

Buy this Book

Overview of this book

What your journey will look like With the help of this expert-led book, you’ll become well versed with SOAR, acquire new skills, and make your organization's security posture more robust. You’ll start with a refresher on the importance of understanding cyber security, diving into why traditional tools are no longer helpful and how SOAR can help. Next, you’ll learn how SOAR works and what its benefits are, including optimized threat intelligence, incident response, and utilizing threat hunting in investigations. You’ll also get to grips with advanced automated scenarios and explore useful tools such as Microsoft Sentinel, Splunk SOAR, and Google Chronicle SOAR. The final portion of this book will guide you through best practices and case studies that you can implement in real-world scenarios. By the end of this book, you will be able to successfully automate security tasks, overcome challenges, and stay ahead of threats.

Preface

Who this book is for

What this book covers

To get the most out of this book

Download the example code files

Download the color images

Conventions used

Get in touch

Share your thoughts

Download a free PDF copy of this book

Part 1: Intro to SOAR and Its Elements

Free Chapter

Chapter 1: The Current State of Cybersecurity and the Role of SOAR

Traditional versus modern security

The current state of cybersecurity

What is SOAR?

Summary

Chapter 2: A Deep Dive into Incident Management and Investigation

What are SOC tiers?

Understanding incident management

Investigating NIST and SANS incident management frameworks

Incident tasks – to do or not to do

Investigation starting point – incident investigation page

The incident investigation process

Understanding threat hunting

Summary

Chapter 3: A Deep Dive into Automation and Reporting

An in-depth view of automation

An in-depth view of reporting

TI and TVM – how important are they?

Summary

Part 2: SOAR Tools and Automation Hands-On Examples

Chapter 4: Quick Dig into SOAR Tools

Microsoft Sentinel SOAR

Splunk SOAR (Phantom)

Google Chronicle SOAR (Siemplify)

Summary

Chapter 5: Introducing Microsoft Sentinel Automation

The purpose of Microsoft Sentinel automation

All about automation rules

All about playbooks

Monitoring automation rules and playbook health

Summary

Chapter 6: Enriching Incidents Using Automation

Why should you use automation for incident enrichment?

Creating your own Microsoft Sentinel trail

VirusTotal playbook – IP enrichment

VirusTotal playbook – URL enrichment

Summary

Chapter 7: Managing Incidents with Automation

Automated false-positive incident closure with a watchlist

Closing an incident based on SOC analyst input

Auto-closing incidents using automation rules

Summary

Chapter 8: Responding to Incidents Using Automation

Automating responses to incidents

Blocking a user upon suspicious sign-in

Isolating a machine upon new malware detection

Summary

Chapter 9: Mastering Microsoft Sentinel Automation: Tips and Tricks

Best practices for working with dynamic content and expressions

Understanding the HTTP action and its usage

Exploring more playbook actions

Summary

Index

Why subscribe?

Other Books You May Enjoy

Packt is searching for authors like you

Share your thoughts

Download a free PDF copy of this book

Customer Reviews

5 (1)

5 star

100%

4 star

3 star

2 star

1 star

Preface

Hey everyone! In this book, we will cover the topic of Security Orchestration, Automation, and Response (SOAR). SOAR is one of the main tools in Security Operation Centers (SOCs) as it provides a unique set of features that allows you to perform needed steps from incident creation to incident resolution.

There are four main elements in SOAR that we will focus on:

Incident management
Incident investigation
Automation
Reporting

We will cover all four elements in the book, starting with an overview of each element, and then showcase what each element looks like in tools such as Microsoft Sentinel, Splunk SOAR, and Google Chronicle SOAR.

As there is a lot of documentation on incident management and investigation from the perspective of incident management frameworks, the second part of the book will focus on automation with hands-on examples using Microsoft Sentinel.

I will provide step-by-step instructions on how to create, test, and utilize automation using Microsoft Sentinel based on personal experience working with Microsoft Sentinel automation, the documentation available, and experience gathered working with many different organizations adapting Microsoft Sentinel, and especially Microsoft Sentinel SOAR.

The reason why we are focusing on SOAR is that it is a growing market, and many organizations are starting to adapt SOAR tools for their day-to-day operations. This can be seen best from the perspective that each Security Information and Event Management (SIEM) vendor has either created its own SOAR solution, bought a SOAR solution and integrated it with its SIEM, or has close cooperation with an independent SOAR vendor.

Security Orchestration, Automation, and Response for Security Analysts

By : Benjamin Kovacevic

Security Orchestration, Automation, and Response for Security Analysts

By: Benjamin Kovacevic

Overview of this book

Related Content you might be interested in

Current Title:

Security Orchestration, Automation, and Response for Security Analysts

Microsoft Sentinel in Action

Learn Azure Sentinel

Microsoft Unified XDR and SIEM Solution Handbook

Preface