This page deals with Security Orchestration Automation and Response.
- PaloAlto, Security orchestration for dummies
- ThreatConnect, SIRP / SOA / TIP benefits
- Swimlane, Cyber Threat readiness report 2023;
- Gartner, Market Guide for Security Orchestration, Automation and Response Solutions
- Microsoft, Microsoft Defender XDR , Security Copilot and Sentinel integrated into 1 portal
As per Gartner definition:
Hence 3 critical tools (see above): SIRP, TIP, SOA, on top of SIEM.
And in my view, SOAR is more an approach, a vision, based on technology and processes, than a technology or tool per say.
More especially, SOAR mainly aims at:
- reducing human error;
- offloading repetitive and valueless tasks for humans, to an automate (security orchestrator);
- improving integration between tools (thanks to API);
- increasing performance of SOC/CERT teams (higher workload with the same teams) and processes (quicker processes runs);
-
Online automated hash checker (script):
-
Online URL automated analysis:
- my recommendation: CyberGordon, URLScan.io
-
Online automated sample analyzer:
- my recommendation, via script and without sample submission: Malwoverview;
- my recommendations for online dynamic analysis: Hybrid-Analysis, Joe's sandbox
-
Offline automated sample analyzer:
- My recommendation: Qu1cksc0pe
-
(pure) Windows tasks automation:
- My recommendations: AutoIT, Chocolatey
-
SaaS-based (and partly free, for basic stuff) SOA:
Try to implement at least the following automations, leveraging the SOA/SIRP/TIP/SIEM capabilities:
- Make sure all the context from any alert is being automatically transfered to the SIRP ticket, with a link to the SIEM alert(s) in case of.
- Leverage API (through SOA) if needed to retrieve the missing context info, when using built-in integrations.
- Automatically query the TIP for any artefacts or even IOC that is associated to a SIRP ticket.
- Automatically retrieve the history of antimalware detections for an user and/or endpoint, that is associated to a SIRP ticket.
- Automatically retrieve the history of SIEM detections for an user and/or endpoint, that is associated to a SIRP ticket.
- Automatically retrieve the history of SIRP tickets for an user and/or endpoint, that is associated to a new SIRP ticket.
- Automatically query AD or the assets management solution, for artefact enrichment (user, endpoint, IP, application, etc.).
- Block an IP on all firewalls (including VPN), SWG and CASB.
- Block an URL on SWG.
- Block an email address (sender) on SEG.
- Block an exe file (by hash) on endpoints (leveraging antimalware/EDR or AppLocker).
- Block an exe file (by hash) on gateways and CASB: SWG, SEG, CASB.
- Reset an AD account password.
- Disable an AD account (both user and computer, since computer account disabling will block authentication with any AD account on the endpoint, thus preventing from lateral movement or priv escalation).
- Report a (undetected) sample to security vendors, via email. Here are a few addresses, in case of:
- Files samples (to be attached in a password-protected Zip file, with 'infected' as password): [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
- URL/IP samples: [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected], [email protected]
- Report a false positive to security vendors, via email;
- You may want to have a look at this page to know the required email address.
- Report a malicious URL (for instance, phishing) to a security vendor for takedown steps
- My recommendation: Netcraft via API, or PhishReport.
- Block an IP address on web servers, linux firewalls, etc. based on community-driven CTI:
- My recommendation: CrowdSec bouncer
Go to main page.