Security Orchestration, Automation, and Response (SOAR) has gone from being a cutting-edge standalone security platform to an essential feature of the enterprise security tech stack. Now, almost every security tool uses cross-platform automation to some degree.
That means that even if you don’t have a standalone SOAR platform, you’re probably using SOAR features already. Automation is vital to modern incident response, and you are using it every time you:
Stringing together these automations into cross-platform incident response playbooks is what SOAR is all about. This makes it a valuable tool for many time-consuming and repetitive investigation tasks. Let’s take a closer look at some examples of how this works in practice.
1. SOAR playbook for automated enrichment
This playbook enhances event investigation by enriching alert data with information from third-party tools. It focuses on seven specific items
The playbook itself is actually a collection of seven sub-playbooks—one for each type of data. Each sub-playbook integrates with data sources like Active Directory, IAM, Endpoint Detection and Response (EDR), threat intelligence, and more.
The playbook itself is simple. It asks if the correlated tool is enabled and then tells the tool to get data related to the event under investigation.
Pulling information from many different sources and compiling them into a single point of reference can dramatically speed up investigations. Instead of manually finding data inside different tools and platforms, you can have that information delivered to you immediately.
2. SOAR playbook for user investigations
This playbook enhances investigations into user accounts, making it a powerful tool in the hunt against insider threats. It is similar to the automated enrichment playbook listed above, but with additional user-specific context.
To streamline user investigations, you’ll want to gather user-related queries and logs from your SIEM, identity management systems, and endpoint devices. You may also add firewall data to your playbook in order to rapidly collect data on high-risk user activities in near-real time.
This playbook relies on a smaller set of sub-playbooks. It should get entity alerts from MITRE tactics, obtain user investigation data from your IAM provider, and search your SIEM for failed logins. You’ll want to correlate failed logons between your IAM and SIEM platforms and then compare that information to MITRE entity alert data and your firewall threat logs.
3. SOAR playbook to block malicious indicators
You can create a SOAR playbook that automatically blocks indicators known to be malicious. A simple version of this playbook would look for IP addresses, domains, URLs, email addresses, file hashes, and user accounts across multiple integrations and block them when found.
There are two ways to approach this kind of automation. You can either configure your SOAR solution to automatically block malicious indicators on its own, or create an alert giving a security analyst the option to investigate before blocking.
You’ll have to make this decision on a case-by-case basis. Some organizations are better-suited to automated no-touch blocking than others. Some indicators are more likely to correlate to malicious behavior than others.
Always keep in mind that misconfigured incident response automations can lead to unpredictable results. Instead of accidentally blocking one user’s activity, you may block hundreds or users or more. Working with reputable detection and response experts is highly recommended.
4. SOAR playbook for phishing email investigation
The sheer number of phishing attempts most organizations encounter make it a prime target for response orchestration and automation. The process of detecting, investigating, and responding to phishing attacks often includes a large number of simple, repetitive tasks.
You could configure your SOAR solution to verify suspicious emails, extract indicators of compromise, block malicious URLs, and filter malicious email out of users’ inboxes.
However, this kind of playbook is likely to result in a large number of operations. Even a robust and well-configured playbook may be overwhelmed by false positives.
Adding qualifying characteristics from third-party tools helps to reduce false positives and ensure deliverability. These custom detection rules must necessarily be built on a role-based basis—employees in sales, accounting, and management all receive different volumes of incoming mail from unknown sources.
5. SOAR playbook for endpoint alert triage
This is a playbook designed to gather EDR alerts and triage them according to priority and severity. It serves an important role integrating EDR capabilities into security operations because it reduces alert fatigue and helps analysts cut through the noise.
To bypass the time-consuming manual analysis of EDR alerts, you’ll need a platform capable of automatically extracting and analyzing evidence associated with those alerts. It may use a variety of correlation techniques, from simple statistical analysis to User Entity and Behavior Analytics (UEBA).
In either case, your analysis solution will provide an initial assessment of suspicious activity detected on your endpoint devices. It can then leverage simple automated actions like isolating compromised devices, notifying specific team members. or resetting user credentials.
You can then assign priority based on the severity of the detected activity. This ensures a dedicated human analyst will investigate the event and validate high-impact alerts quickly—without spending time on lower-priority tasks first.
Orchestrating and automating incident response tasks is a demanding process. It can dramatically improve the efficiency of security operations, but only when conducted by reputable product experts.
Lumifi has years of experience building custom detection rules for some of the industry’s most advanced security tools. We can help you gain visibility into your operations and scale them to meet your organization’s growth needs. Talk to an automation expert now to find out more.
We’ve expanded our MDR capabilities with enhanced incident response and security services to better protect against evolving cyber threats.