What this book covers
Chapter 1, The Current State of Cybersecurity and the Role of SOAR, is a general overview of cybersecurity, why traditional tools aren’t enough in the fight, and how modern tools add value to a SOC. We will continue with the topic of SOAR, what it is, why it’s one of the SOC analysts’ “best friends,” and how it can reduce the amount of time required to respond to incidents.
Chapter 2, A Deep Dive into Incident Management and Investigation, will focus on incident management and investigation, its importance, and some of the best approaches to incident management and investigation. This will include owner assignment, collaboration, modern tools, and lessons learned as one of the most critical aspects of incident investigation.
Chapter 3, A Deep Dive into Automation and Reporting, provides an overview of automation as one of the most significant elements of SOAR. We will cover automation as a SOC’s best friend, why you should be using it, and what we can automate. In this chapter, we will go through reporting, as well as how it can help SOCs be more efficient.
Chapter 4, Qucik Dig into SOAR Tools, will go over the most known SOAR tools, how they look, and what options they have. In it, we will go through the importance of SOAR and how it changed the traditional SIEM space.
Chapter 5, Introducing Microsoft Sentinel Automation, will introduce all aspects of Microsoft Sentinel automation on a more profound level, as a continuation of the Microsoft Sentinel SOAR intro in the previous chapter. We will be explaining topics such as automation rules and playbooks and how to utilize them to fight the dark side.
Chapter 6, Enriching Incidents Using Automation, focuses on the first hands-on example, where we will show you how to utilize solutions such as VirusTotal to enrich incidents on creation/update. We will go over enrichment and how we can use it to improve the amount of time taken for initial triage from hours to minutes!
Chapter 7, Managing Incidents with Automation, will focus on incident management with automation, how to control false-positive/low-severity incidents, and user/SOC analyst inputs for faster incident resolution. MTTA and MTTR are the main SOC measurements, and proper automation will lower both of them.
Chapter 8, Responding to Incidents Using Automation, will focus on responding to the incident as one of the most critical automation scenarios. Examples include blocking the user, isolating the host, blocking the IP, resetting users’ passwords, and so on. A fast response can isolate a bad actor in its initial stage, and with automation, this can be done as soon as the incident is created – with or without SOC analyst interaction.
Chapter 9, Mastering Microsoft Sentinel Automation: Tips and Tricks, will go over tips and tricks for using Microsoft Sentinel as an automation tool. We will demonstrate its power under the hood and how to utilize automation below the GUI. This will include the options for automatically adding “hidden” elements, functions for better content control, and everything about HTTP action.