Book Image

Security Orchestration, Automation, and Response for Security Analysts

By : Benjamin Kovacevic
5 (1)
Book Image

Security Orchestration, Automation, and Response for Security Analysts

5 (1)
By: Benjamin Kovacevic

Overview of this book

What your journey will look like With the help of this expert-led book, you’ll become well versed with SOAR, acquire new skills, and make your organization's security posture more robust. You’ll start with a refresher on the importance of understanding cyber security, diving into why traditional tools are no longer helpful and how SOAR can help. Next, you’ll learn how SOAR works and what its benefits are, including optimized threat intelligence, incident response, and utilizing threat hunting in investigations. You’ll also get to grips with advanced automated scenarios and explore useful tools such as Microsoft Sentinel, Splunk SOAR, and Google Chronicle SOAR. The final portion of this book will guide you through best practices and case studies that you can implement in real-world scenarios. By the end of this book, you will be able to successfully automate security tasks, overcome challenges, and stay ahead of threats.
Table of Contents (14 chapters)
Part 1: Intro to SOAR and Its Elements
Part 2: SOAR Tools and Automation Hands-On Examples

What this book covers

Chapter 1, The Current State of Cybersecurity and the Role of SOAR, is a general overview of cybersecurity, why traditional tools aren’t enough in the fight, and how modern tools add value to a SOC. We will continue with the topic of SOAR, what it is, why it’s one of the SOC analysts’ “best friends,” and how it can reduce the amount of time required to respond to incidents.

Chapter 2, A Deep Dive into Incident Management and Investigation, will focus on incident management and investigation, its importance, and some of the best approaches to incident management and investigation. This will include owner assignment, collaboration, modern tools, and lessons learned as one of the most critical aspects of incident investigation.

Chapter 3, A Deep Dive into Automation and Reporting, provides an overview of automation as one of the most significant elements of SOAR. We will cover automation as a SOC’s best friend, why you should be using it, and what we can automate. In this chapter, we will go through reporting, as well as how it can help SOCs be more efficient.

Chapter 4, Qucik Dig into SOAR Tools, will go over the most known SOAR tools, how they look, and what options they have. In it, we will go through the importance of SOAR and how it changed the traditional SIEM space.

Chapter 5, Introducing Microsoft Sentinel Automation, will introduce all aspects of Microsoft Sentinel automation on a more profound level, as a continuation of the Microsoft Sentinel SOAR intro in the previous chapter. We will be explaining topics such as automation rules and playbooks and how to utilize them to fight the dark side.

Chapter 6, Enriching Incidents Using Automation, focuses on the first hands-on example, where we will show you how to utilize solutions such as VirusTotal to enrich incidents on creation/update. We will go over enrichment and how we can use it to improve the amount of time taken for initial triage from hours to minutes!

Chapter 7, Managing Incidents with Automation, will focus on incident management with automation, how to control false-positive/low-severity incidents, and user/SOC analyst inputs for faster incident resolution. MTTA and MTTR are the main SOC measurements, and proper automation will lower both of them.

Chapter 8, Responding to Incidents Using Automation, will focus on responding to the incident as one of the most critical automation scenarios. Examples include blocking the user, isolating the host, blocking the IP, resetting users’ passwords, and so on. A fast response can isolate a bad actor in its initial stage, and with automation, this can be done as soon as the incident is created – with or without SOC analyst interaction.

Chapter 9, Mastering Microsoft Sentinel Automation: Tips and Tricks, will go over tips and tricks for using Microsoft Sentinel as an automation tool. We will demonstrate its power under the hood and how to utilize automation below the GUI. This will include the options for automatically adding “hidden” elements, functions for better content control, and everything about HTTP action.