When I was a SOC team lead prioritising alerts was very simple, each alert came with it hard coded….
alert tcp any any -> any 80 (msg:"WEB-MISC phf attempt"; flags:A+; \
…..10. So it goes to the top of the alert pile. As the meerkat says, simples.
But by continuously re-evaluating through the lifecycle of the incident/ticket, can we do better using SOAR?
Enrich against devices
You see malicious activity targeting an internal IP address, what is that device? Enrich with CMDB
Is the device a payment gateway? priority +1
Is attack against the correct Operating System? priority +1
Enrich against the user
If we have an end user request on phishing, let us enrich with Active Directory.
Attack against any user? Priority +1
Attack against CxO ? Priority +2
Phishing query from a reliable user? Priority +1
Phishing query from an unreliable user? Priority -2
Baseline of similar alerts
A simple test, but if a particular alert type is running at 205% of normal for a Tuesday afternoon maybe we need to increase the priority to understand what has changed. Here I would enrich using SOAR/CaseManagement
Confirm if Malicious
If I have two similar alerts, enrich with Threat Intelligence.
Alert includes known bad IOC? Priority +1
Alert has IOC from 2001/Eicar/RickRolling? Priority -1
Confirmed on your Estate
A trusted security person shares 2 IOC with you, each becomes an independent ticket in SOAR and automation kicks in to validate and search. Enriching with SIEM
IOC not on your network? Close ticket with 0 prioirty.
IOC observed on your network? Priority +1 and escalate
Per Incident type
Typically I would prioritise a Phishing enquiry before removing a user from a OrganisationalUnit in AD.
But if SOAR can automatically tell me that the Phishing enquiry contained no known IOC, and was from a high FalsePos user….. vs the OU request was from the CxO and involved a user that was currently logged on to the systems I think I would probably swap their priorities around. **
So there you have some ideas on how to prioritise at the beginning of the ticket and how to prioritise all the way through the ticket so make sure you’re looking in the right place first.
** that’s a trick question, I wouldn’t do either of them, I have SOAR, but you get the point.