Helping remote MSSP/MDR enrich tickets

I’ve worked in the SOC space for almost 10 years and I find a very strong divide of the end customers:
– We allow the MSSP/MDR access to our network
– We don’t allow them any access, all information requests come through us.

Both are understandable, but it’s more work for the 2nd MSSP when they need to complete a tier 1 investigation.  How can automation help?

Imagine a SOAR platform inside the customer, that accepts emails [1] from the MSSP/MDR which contains an IOC/attribute. This playbooks then calls out and enriches accordingly….

  • Query AD for system owner
  • Query Asset Management for context
  • Query SIEM for end point alerts
  • Query Firewall for logs
  • ….and anything else.

The last step in the playbook is to email this report back to the MSSP/MDR, but only after the penultimate check where an end-client analyst reviews the contents first.



This way, with almost no overhead by the end customer, the MSSP/MDR, who still has no access to the network, any usernames, passwords API keys, is able to enrich their own investigation and in-turn increasing value.

Sometimes the simplest playbooks are the best!


[1] – Email, or maybe a HTTPs front end, validating source IP, with 2FA, etc

Leave a Reply