From an engineers perspective Security Orchestration,Automation and Response(SOAR) products are incredibly enticing in that they offer the ability to automate technical aspects of your day to day work but also streamline the process involved in the decision making and triage.
API integrations:
A very appealing piece about SOAR products is that they offer API integration for which you can use to automate responses to alerts or use for alert enrichment. A lot of times I might have to connect to an API, perform the logic and get into the code so to speak in order to make something happen. The ultimate promise with SOAR is we don’t have to do this. A no code/programming experience.
Most vendors provide a list of integrations they have. Although this doesn’t exactly list out what capabilities it has it is good to know that the vendor has been developing integrations for your organizations particular product suite or covers most of it. Some vendors might not have as many capabilities or lean on community developed extensions.
Use Cases:
- Automated Phishing investigations from alerts to purges
- Enhance alert investigations by providing additional context data that would be manually done by a SOC analyst
- Automate threat hunting cases by pulling data from all your disparate tools
- Automate IOC lookups in Threat intel platforms like VirusTotal or Talo Intel
- Automate user permissions validation and account disables
- Automate Provisioning/Deprovisiong beyond just your Active Directory environment ie;your payroll app too
- Automate the Malware incident response steps: Identify,investigate,Contain and remove
Chat-bot Operations:
Some of the vendors offer a chat operation to send alerts that bubble up to your team via either Microsoft’s Teams or something like a Slack group chat.
Integration lists from different SOAR vendors
- SwimLane’s integrations : https://swimlane.com/platform/integrations/
- D3’s Integrations: https://d3security.com/platform/integrations/
- Splunk’s integrations: https://www.splunk.com/en_us/software/splunk-security-orchestration-and-automation/apps-and-integrations.html
- IBM’s Resilient Integrations: https://github.com/ibmresilient/resilient-community-apps
Resources:
https://www.rapid7.com/info/security-orchestration-and-automation-playbook/