We met a SOC team recently that had a problem with scaling IOC enrichment, but didn’t have the time/resources/appetite to automate anything else (yet). Can SOAR provide value with such a small scope?
Yes, here is SOAR focusing on 1 job, and doing it well.
- Technology ‘x’ submits a log or potential IOC
- SOAR ingests and creates a ticket type “Enrichment“
- If the IOC has been logged before, re-run the existing task and don’t open a new one
- If not, run against the usual Intel providers (VirusTotal, Whois, Anomali, Censys, SafeBrowing, Shodan, etc) along with file detonation (FireEye, Cuckoo, ThreatGrid, etc)
- Each output is saved to a summary report
- If any score comes back as malicious, a new ticket is opened in their existing ticketing system (Zendesk, Jira, SalesForce, etc) with a ticket type “Investigation” for an Analyst to investigate.
- This first ticket is closed
With this design no analyst has Enrichment tasks, but only when something is bad does an analysts get involved with a 2nd ticket Investigation,
The benefits
- All enrichment happens 100% automatically – Save analyst fatigue with 100 x copy paste
- No error in copy-pasting – aka process deviation
- Enrichment starts with in seconds – boosts SLA metrics across the team
This approach saves several hours a day which can be used to up skill, or maybe even build the next time saving playbook.
Future Work
This time saving deployment was day 1 design. When proven the next steps were:
- If anything malicious found, check Splunk/Elastic if this IOC was found internal in last 4 weeks
- Search packet capture solutions, can we pull a recording of +/- 10 minutes of this IOC being detected
- Extract logs and attach to the Investigation ticket
Exciting times!
Andy