Practical use cases for SOAR - gallery.logrhythm.com · Practical use cases for SOAR ... make a...

Practical use cases for SOARLearn how to streamline threat response and automate critical use cases with security orchestration, automation, and response

TABLE OF CONTENTS

Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The benefits of automating your SOC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4

Identifying key SOAR use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5

Automate phishing email investigation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6

Streamline threat hunting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9

Reduce time to qualify and respond to threats with automatic notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Qualify and triage threats with contextualisation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Reduce alarm fatigue with use case automation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Streamline your security operations workflow . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Document processes and gather metrics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

Protect business interests beyond security with SmartResponse Automation . . . . . . . . . . . . . . . . . . . . . . . . . . .20

Automation use cases . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Contain a threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Explore privilege escalation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

Manage provisioning and deprovisioning users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .22

What to consider in a SOAR solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .23

Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .25

About . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .26

Introduction | 3

Automation is part of our everyday lives . Yet

where security is concerned, organisations

are holding back . Some 59 per cent of

organisations said they use low levels or

no automation of key security and incident

response (IR) tasks, according to a recent

SANS survey1 .

Despite automation’s ability to simplify and

streamline workflows, there are a number

of obstacles preventing organisations from

wider-scale adoption for their security

operation centres (SOCs) . Cost is one common

obstacle — automation requires an upfront

investment that may be hard to swallow,

especially if you’re uncertain about the return

on investment . Another challenge? You may

not trust automated, managed processes .

After all, varying types of automation have

different levels of risk . What’s more, you might

be unsure how to use automation .

Despite these concerns, automation can

make a difference . Automation can free your

analysts from performing routine tasks,

enabling them to focus on events that require

more attention . Automation can also improve

your mean time to detect (MTTD) and mean

time to respond (MTTR) to threats and alert

you to areas where you need to improve .

To automate your SOC, you need the right

tools to help your organisation respond

faster to threats and lower the risk of human

error . You need a security orchestration,

automation, and response (SOAR) solution

that integrates with your security information

and event management (SIEM) to help your

team respond faster to threats through a

unified interface .

Introduction

1 2019 SANS Automation & Integration Survey, SANS, March 2019

https://logrhythm.com/sans-automation-and-integration-survey-white-paper/

Security automation involves having one or

more security operations-related tasks run

on their own, without human intervention .

This can be a mostly manual workflow with

a single automated step, or a long, complex

chain of automated, interconnected steps .

Traditionally, automation was considered an

all-or-nothing proposition, but automation

is flexible . You can implement automation

solutions at various points of an incident

response process to free analysts from

handling repetitive tasks while maintaining

human control over how they monitor and

react to alerts .

Another benefit is that automation removes

the “wait time” — the time it takes for analysts

to perform an action that a SIEM could

execute . Automation also enables security

teams to focus on more complex activities .

The benefits of automating your SOC

Automating a basic set of responses (e .g .

disabling a user account or quarantining a

host) can eliminate hours or days a threat

might remain active in an environment,

reducing your time to qualify (TTQ) and

respond to a threat . Automation can also help

you protect your organisation and strengthen

its resilience through processes that you can

repeat .

So, where do you get started? How do you

assess your organisation’s goals and comfort

levels for automation? A good first step is to

measure and baseline . Metrics are a key part

of your cybersecurity and security operations

program . Defining metrics such as MTTD

and MTTR helps you prove effectiveness

and secure future investment . By building

consistent measurements, you can review

your SOC’s essential functions and evaluate

its performance accurately .

4 | The benefits of automating your SOC

To automate your SOC, you need a

SOAR solution that integrates with

your SIEM . A SIEM with an integrated

SOAR solution helps teams respond

to threats faster because all the

information they need is in one place .

It also reduces the chance of human

error and the time analysts spend

moving between tools because they

can all work via a unified interface .

A SOAR solution can help your

security team respond to alerts more

quickly, enabling it to focus on the

most important tasks . SOAR also

helps streamline threat investigation

and mitigation by coordinating and

automating as many steps in the

response workflow as possible .

To help you understand how SOAR

can benefit your organisation, we’ve

outlined some common use cases

LogRhythm addresses .

Identifying key SOAR use cases

How LogRhythm enables SOAR

LogRhythm NextGen SIEM Platform combines patented

machine-based analytics, user and entity behaviour analytics (UEBA),

network detection and response (NDR), and SOAR in a single, unified

architecture, delivered from the cloud or as an on-prem solution.

LogRhythm RespondX is a security orchestration, automation, and

response (SOAR) solution that expedites investigative workflows, saving

you time and resources. Your team can focus on more complex challenges

and work to scale your overall security operation. RespondX includes:

• Case Management

• Case Playbooks

• Contextualisation

• SmartResponse Automation

• Case Metrics & Reporting

SmartResponse Automation is a capability of the LogRhythm

NextGen SIEM Platform that notifies analysts when an anomalous

event occurs. As an embedded feature in LogRhythm RespondX,

SmartResponse enables automated actions.

Machine Data Intelligence Fabric makes data more

powerful by preparing a highly consistent and predictable dataset

for accurate analytics.

Identifying key SOAR use cases | 5

https://logrhythm.com/solutions/security/security-automation-and-orchestration/

https://logrhythm.com/solutions/security/security-automation-and-orchestration/

10 practical uses of SOAR

Automate phishing email investigationWhen it comes to phishing, one out of every 99 emails is a

phishing attack2 . That equates to an average of 4 .8 emails

per employee in a five-day work week3 . As phishing attempts

continue to grow, you’re likely not adequately protected .

As with most phishing attempts, threat actors try to

gain financial information or steal a user’s credentials

to access sensitive or private corporate information . But

with LogRhythm’s built-in capabilities, you can automate

a workflow around phishing attempts and save analysts

precious time to work on other tasks .

LogRhythm’s Phishing Intelligence Engine (PIE) is an

open-source PowerShell framework that works with the

LogRhythm’s NextGen SIEM Platform, which enables you

to automatically detect phishing attacks, validate active

threats, and automate the investigation and remediation

workflow to minimise exposure time .

2 1 in 99 Emails is a Phishing Attack, What Can Your Business Do?, Small Business Trends, July 12, 20193 IBID

When it comes to

phishing, one out of

every 99 emails is

a phishing attack .

That equates to an

average of 4 .8 emails

per employee in a

five-day work week .

6 | Identifying key SOAR use cases

https://github.com/LogRhythm-Labs/PIE/

https://logrhythm.com/products/nextgen-siem-platform/

https://smallbiztrends.com/2019/07/phishing-statistics.html


LogRhythm’s PIE determines the risk level of emails by analysing

subject lines, sender addresses, recipients, message body, links, and

attachments — automatically responding to threats by quarantining

suspicious emails, blocking senders, and searching for clicks .

In addition to triggering alarms on known spammers and other malicious

events based on the data, PIE enables you to employ automated actions .

For example, PIE quarantines the same phishing email if multiple people

in the company received it . With PIE, you can also change credentials and

add blocks on senders — ensuring that a specific user can no longer phish

the organisation .

Figure 1: PIE automatically handles the entire workflow to investigate and respond to a phishing attack,

freeing up analysts to perform other tasks



PIE also lets users automatically create a new Case in a SOC queue and

automate analysis tasks . Once qualified, it will pull similar emails from O365

so users can’t click on them accidentally .

Figure 3: PIE data syncs with the LogRhythm NextGen SIEM Platform to create Case files to sort forensic details related to phishing attacks

Figure 2: PIE data syncs with the LogRhythm NextGen SIEM Platform to create Case files to sort forensic

details related to phishing attacks



LogRhythm’s Threat Hunting Automation

(THA) app combines LogRhythm’s

SmartResponse™ Automation, Machine

Data Intelligence (MDI) Fabric, and PIE

to streamline and automate the threat

hunting process . The THA app is a series

of functions and scripts that automates

passing collected potential indicators

(e .g . hashes, IPs, domains, hostnames, or

URLs) from a configured threat intelligence

provider to available web-based malware

analysis databases such as VirusTotal and

Open Threat Exchange .

The app also allows you to:

• Display the results on the screen to

offer additional information

• Create a Case and add the output of

the provider to the Case for tracking

• Add the alarm as evidence into the

Case to document your findings

• Automate the investigation reading

from Elasticsearch using and creating

alarms, if needed, to accelerate threat

detection and identification

With THA, you can use excludes or includes

filters for the output to specify your needs .

While cybercriminals need only minutes to

compromise systems, it can take weeks or

even months to detect a possible threat .

To reduce the time to detect and respond

to a cyberthreat, you need a solution that

automates your threat hunting capabilities .

Threat hunting involves manual and

machine-assisted methods of searching

through networks and large datasets of

information (e .g . threat intelligence lists) to

find threats that evade existing defences,

such as antivirus systems, intrusion

detection systems, intrusion prevention

systems, and firewalls, among others .

To maximise threat hunting, your analysts

should use automation to accelerate these

hunts to make them easier and more

accurate . It’s important to note that threat

hunting requires specific analytic skills,

such as familiarity with your organisation

and its internal processes, as well as the

ability to investigate possible incidents .

Streamline threat hunting


https://logrhythm.com/products/features/smartresponse/

http://www.youtube.com/watch?v=8Nr1E2FHp3o

http://www.youtube.com/watch?v=8Nr1E2FHp3o

Figure 4: With THA, you can add specific details and run the app from the Command Line



Figure 6: The app adds the evidence found as notes on the provider’s request

Through powerful APIs, LogRhythm gives you complete control of the automation lifecycle . You can

integrate the LogRhythm solution seamlessly with your current process and improve your threat

hunting capabilities .

A configuration is available to automate

Case creation and alarm integration with

Kafka . A Case will be created if the provider

marked this as dangerous in the indicator

status . The parameter CreateAlarm will

integrate with Kafka, a distributed streaming

platform, which will raise an alarm whenever

a malicious indicator surfaces .

With THA, you can turn evidence into notes

and add it to the Case upon request .

Figure 5: The app will create a Case if the IOC is confirmed in the

provider request





When a threat makes its way into your

environment, you need to act fast to minimse

damage . But you first need to know that

the threat exists . While a traditional SIEM

platform features a variety of built-in methods

designed to notify users of important events,

your notifications may not be as effective as

you want .

To reduce response time, you need to

automate common investigation and

response actions . This is where LogRhythm

SmartResponse™ Automation, an embedded

feature in LogRhythm RespondX — our SOAR

solution — helps . SmartResponse, a capability

of the LogRhythm NextGen SIEM Platform,

enables automated actions . SmartResponse

includes details to help you determine next

steps (i .e . whether you need to act fast or

if you can wait to respond) . SmartResponse

actions are flexible — they can be automated,

approval-based, or run by ad-hoc execution .

Figure 7: Outbound internet relay chat (IRC) alarm fires

Reduce time to qualify and respond to threats with automatic notification

When an alarm triggers, SmartResponse

actions fire to alert the team to the situation

and get the right people involved . This

category of SmartResponse reduces your time

to qualify (TTQ) and time to respond (TTR) to

a threat . Your analysts don’t have to check

their email or spend time logging into a web

console — they receive immediate notifications

when an incident occurs and can take action .

For example, LogRhythm AI Engine, a

component of the LogRhythm NextGen SIEM

Platform, detects the presence of outbound

internet relay chat (IRC) on your network — a

chat protocol regularly found in instances of

malware . Upon detection, a SmartResponse

fires and notifies your team about the alarm

via your security team’s Slack channel or other

communication vehicle, such as SMS or Twilio .

https://logrhythm.com/products/features/ai-engine/



Figure 8: SmartResponse delivers automated notifications via Slack

Once you qualify a threat and determine

that it is malicious, you must prevent it

from spreading . For example, you might

determine that the IRC is destined for a

malicious IP address located in an abnormal

geographic region . You can configure a

SmartResponse action to fire upon your

analysts’ approval and block traffic to the

entire network range associated with the

malicious IP by interacting with a list of

hosts or ranges configured on your firewall .

Figure 9: Ad-hoc SmartResponse

Your analysts can also use SmartResponse

and LogRhythm integrations to rapidly contain

and remediate the threat by taking action to

prevent a security incident from incurring

damage .

While analysts can perform these actions

manually, using automation via LogRhythm’s

SmartResponse actions will immediate notify

you of an event or threat, and in the most

effective channel . With SmartResponse, you

can remediate threats from the SIEM and

reduce login time to a click of a button to

expedite threat response .



Qualify and triage threats with contextualisation While notifications are important, they are only as good as their contextual

information . To effectively detect and remediate a threat, being aware of an

alarm is not enough . You need actionable information to triage and resolve

the event . Without it, your analysts will spend time and resources searching

for this information, adding more work to their already busy schedules .

That’s where LogRhythm contextual SmartResponse actions help .

Contextual information gives analysts background information around an

alarm to enrich the quality of an alert, enabling them to make informed

decisions regarding a response .

If analysts notice an unusual occurrence in the log data, they can use

additional contextualise actions to simplify and expedite the search for

more information . Additional contextualise actions are easy to write and

implement, and enable analysts to gather basic contextual information they

need to make a decision and respond to the event .

Figure 10: LogRhythm contextualise action configuration works to gather basic information



Figure 12: Host information from ARIN

For example, if analysts encounter Windows

Event ID 4624, they won’t know the origin of

that ID . Most analysts will use a search engine

and query the unknown ID to learn more . This

means analysts have to open a new window,

search for the information needed, and

navigate to the appropriate third-party website

to discover more .

Figure 11: Additional contextualise action on an IP address

Additional contextual actions are a feature

of your Web Console and operate similar to

Chrome search shortcuts . With LogRhythm’s

additional contextualise actions, you can

click on Windows Event ID 4624, and a new

browser will open so you can query more

information — allowing your SIEM to search

for you . This reduces the number of clicks to

get to your information and makes it easy to

run custom searches for information in log

data . While additional contextualise actions

expedite the process of querying for basic

contextual information, LogRhythm offers

contextual SmartResponse actions that can

automate this process and perform more

complex searches .

Figure 13: LogRhythm SmartResponse Automation can help you reduce alarm fatigue

Making sense of a barrage of alarms is likely

an ongoing struggle for your analysts . Your

analysts don’t have time to investigate and triage

alarms that may turn out to be meaningless .

Luckily, Case Automation fills the gap .

Case Automation can help you reduce alarm

fatigue by automatically aggregating similar

alarms into a single Case and providing the

context you need to make decisions fast .

The LogRhythm NextGen SIEM Platform

includes scores of prebuilt SmartResponse

Automation that provide critical threat

context, effective Case grouping, and fast

triage to help you focus on incident response .

If an alarm fires overnight, your analysts

need the right information to take action

when they arrive at work . With LogRhythm’s

SmartResponse Automation, analysts can

invest time upfront to automatically gather

crucial details and set up certain actions to

save time .

Analysts may see 50 alarms for the same

campaign, but for different users . But they

don’t want to waste time investigating all of

the alarms and creating 50 Cases . Instead,

analysts can aggregate the alarms with

Case Automation, which condenses multiple

alarms and attaches the alarms to a Case

automatically, minimising alarm fatigue .

Reduce alarm fatigue with use case automation



With SmartResponse Automation, your analysts can easily group alarms that are

from the same campaign . They can also review information that was automatically

pulled in, such as email addresses, users impacted, and notes about the alarm .

Preapproved SmartResponse Automation can automatically generate a Case, add

relevant tags and details to the Case, assign a Tier 1 analyst, and associate the

Case with the appropriate playbook to handle response .

Figure 14: SmartResponse enables you to add additional details to your Case

If analysts need to collaborate with someone else, they can add colleagues

to assist with a Case . Those added will receive notifications that they have

been added to the Case .

Figure 15: SmartResponse Automation lets you add colleagues to assist in a Case





When it comes to protecting your

organisation, your speed to detect and

respond to a threat is crucial . Measuring

the time to detect and respond to a threat

is nearly just as important . To reach a lower

MTTD and MTTR, it’s essential to streamline

your organisation’s security operations

workflow, regardless of your industry .

For example, a large bank might use a

software as a service (SaaS) email security

solution to scan its inbound email to detect

email-borne malware and phishing attacks, but

it may lack usable log messages of such alerts .

Relying solely on email to alert to potential

incidents could be problematic . First, an

analyst must monitor an additional interface .

Secondly, an email notification increases

the risk that your analysts might not

respond quickly enough, or even worse, miss

important security alerts .

Figure 16: Malware example email shows an SaaS alert

LogRhythm uses PowerShell scripts to turn

the email alerts into a text log and uses AI

Engine to automatically send the notification .

The AI Engine rule includes a SmartResponse

action that automatically creates a Case . Case

details are instantly populated, giving analysts

immediate critical details .

By eliminating an additional application that

needs to be monitored and automatically

piping the alarm information into LogRhythm,

LogRhythm can reduce your MTTD and MTTR

from hours to minutes .

Streamline your security operations workflow



Document processes and gather metricsResponding quickly to a potential threat is paramount, but you need the

right tools and information to take action . LogRhythm Case Playbooks give

your SOC the capability to codify standard operating procedures . With Case

Playbooks, your analysts not only can capture their own playbooks, but

they can modify existing ones and attach company policies and procedures .

When combined with Case Metrics, these features enable your SOC to react

more efficiently and decrease MTTD and MTTR .

For example, assume a SOC analyst wants to improve how to handle

suspicious user activity situations . The SOC already uses a SmartResponse

to automatically open a Case when a Suspicious User Activity Alarm rings .

A global administrator downloads and imports the suspicious user activity

playbook from the LogRhythm community . This playbook covers 11 basic

steps to investigate and remediate these types of incidents:

1. Determine if you are investigating

an incident or event

2. Determine if there are any

security classifications observed

with the suspicious user activity

3. Determine if the activity is

normal for the user account

4. Determine if the user is logging in

during normal business hours

5. Determine if the user is failing

authentication or access

6. Determine if the user is

authenticating from normal

locations for that user account

7. Determine if the user is using

any new applications or new

processes observed

8. Determine if the employee is

traveling for work

9. Determine if the employee is out

of the office (vacation or sick)

10. Disable the user account

11. Provide feedback and lessons

learned to reduce chances of

incident occurring again

If your analysts receive an alarm about this

unusual activity, they would need context

to understand the problem, determine its

severity, and fix it . Your analysts would need

to know which webpage is generating the

error message, when it was last updated,

and who updated it . With LogRhythm

SmartResponse Automation, these details are

available with notifications, which analysts

receive though their preferred medium .

If an engineer received a website error alert

with the contextual information, he or she

could quickly determine the severity of the

loss of functionality — without having to

manually triage . The engineer could also use

contextual SmartResponse Automation to

determine which code check-in was used to

update the page, when the update occurred,

and which page or resource changed . For a

fast resolution, the engineer could quickly

revert the page to its most recent version to

restore business functionality and work to

troubleshoot the update at another time .

An analyst on the team identifies that he

or she needs to add the additional step

of checking if the user is a “VIP” before

disabling the account . The analyst updates

the playbook, inserting this step between nine

and 10 . The new playbook is now available for

future handling of the suspicious user activity

alarms .

With the playbook in place to address these

alarms, Case Metrics for MTTD and MTTR

are available to measure the efficiency of the

process and identify areas for improvement .

For example, let’s say the metrics highlight

that step seven is a bottleneck in the process .

The organisation recently deployed Carbon

Black for endpoint protection . To improve

MTTR, the team deploys a Carbon Black

SmartReponse Automation to automatically

extract the process list from the user’s

potentially impacted systems .

Protect business interests beyond security with SmartResponse AutomationBeyond security, you can use automated

responses to protect other business interests,

such as your company website . If your

company made updates to its website and

the website became infected with a bug

and impacted functionality, the site would

generate error messages .



Automation plays a pivotal role in SOAR . You can empower incident

response teams with pre-packaged, customisable automation, reducing your

time to respond from days to minutes .

Automation use cases

Endpoint Quarantine: Disable the

port/device that’s known to have a

suspicious device .

Suspend Users: If you suspect

an account compromise, halt a

user’s account access — no matter

the device .

Collect Machine Data: In the

case of malware, SmartResponse

can gather forensic data from the

suspicious endpoint .

Suspend Network Access: If

data exfiltration occurs, your

incident response team can close

the connection by updating your

network infrastructure’s access

control list .

Kill Processes: If an analyst

detects an unknown or

blacklisted process on a critical

device, SmartResponse can kill it .

Key uses for automation LogRhythm SmartResponse Automation can help you solve some of the most common issues:

Automation use cases | 21

Following are some common use cases

involving automation that can greatly reduce

your response time to potential threats .

Contain a threatWhen your team identifies a threat, you

need to quickly contain it to prevent lateral

movement and the threat from escalating . If

the threat involves malware, automation can

help you instantly disable a user’s account .

Automation also enables you to monitor stop

processes and keep track of any unexpected

file changes .

For example, automation enables you to use

integrations with Active Directory, Azure AD,

Okta, or another IAM platform to disable a

user account and reset credentials . It also lets

you use a NAC solution or directly act on the

host to quarantine the host or take it offline

to prevent a compromise from spreading . The

benefit of using automation with LogRhythm

is that analysts don’t need to be experienced

with a third-party product — they simply

approve or issue a SmartResponse action .

Explore privilege escalation If your team detects suspicious activity in the

form of privilege escalations, that’s typically

a red flag that a threat exists or an attacker

is in your network . You can use automation to

determine the validity of a user and confirm if

that user has privileged access .

This might look like firing an alarm whenever

you discover suspected privilege escalation .

You can use automation to present contextual

information such as details about the account

being modified, user group information,

and the user’s manager so the analyst can

quickly determine if this is legitimate activity .

If it’s not legitimate, you can implement an

automated workflow to disable the account

and reset credentials before the attacker

accesses or exfiltrates sensitive data .

Manage provisioning and deprovisioning usersManaging the permissions of user accounts

remains a struggle for many organisations .

The problem? Security teams are already

busy handling other issues . Adding users with

different roles and privileges can be tedious

and time consuming . By adding automation

capabilities, your team can quickly add or

remove user accounts to keep systems and

data safe from threats .

With LogRhythm, you could easily build

onboarding and offboarding playbooks for

different roles . When a request comes in, you

can create a Case and assign the relevant

playbook . You can use SmartResponse

automation to create or disable accounts

in third-party resources, and use the

playbook to ensure employees are following

company procedures .

22 | Automation use cases


What to consider in a SOAR solution

• A Sophisticated Dashboard: Find a SOAR solution with a dashboard

that is sophisticated, yet easy to use .

• Central Evidence Repository: An effective SOAR solution accepts

evidence from a variety of sources that you can search and allows

analysts to easily share evidence with each other while preventing

information from being exposed to attackers .

• Customisable Workflows: A good SOAR solution should integrate

with existing infrastructure components, enabling teams to develop

custom workflows that capture the anomalies that are hidden within

the organisation .

Choosing the right SOAR solution for your SOC can make the difference

between establishing a mature, well-run organisation that makes

measurable improvements in detection and response times and settling for

modest improvements that are inconsistent or wasteful .

Beyond making your security analyst’s job easier and automating workflows

to accelerate threat detection and investigation, SOAR also provides a

framework for metrics to help you evaluate the SOC and enable continuous

training and improvement . When exploring SOAR, an effective SOAR

solution should contain the following criteria:

What to consider in a SOAR solution | 23

• Playbooks: Guided workflows within a SOAR solution play

a key role in enabling analysts to respond to and remediate

threats from a single platform increase efficiency and efficacy

when every second counts .

• Data Enrichment: SOAR capabilities should have extensive

capabilities for incorporating context-enriching data into an

investigation to facilitate decision making .

• Library of Automated Responses: An extensive library

of out-of-the-box automated responses to threats provides

continuity across threat detection and response workflow

without the need for APIs or custom integration work .

• APIs and Integrations: A SIEM with SOAR capabilities must

be able to integrate with current and future technologies

inside and outside the IT environment . As such, a SOAR

solution should provide APIs and a range of integrations

across multiple vendors and technologies .

• Ease of Use: A SOAR solution should be easy to operate

and manage, with one-click functionality for common

tasks like Case creation and threat intelligence lookup .

• Embedded SOAR Capabilities: A SIEM with integrated

SOAR enables a SOC to optimise the efficiency gains it

realises from SOAR .

24 | What to consider in a SOAR solution


CONCLUSIONIf your organisation is still relying on manual

processes to detect incidents, your analysts

are likely struggling to address each and

every alarm . With the increasing volume of

threats and incidents coming your way, you

need a better solution . SOAR can help .

By properly outlining your processes on

paper, you can create playbooks to reflect

those processes and then decide which you

can automate . A SOAR solution can help you

remove analysts’ menial tasks, which will

keep them happier and more engaged . It can

also accelerate onboarding because it doesn’t

require analysts to be experts in all of your

organisation’s technologies .

SOAR can also help you streamline your

security operations team’s ability to detect

and respond to threats faster, quantify key

performance indicators such as MTTD and

MTTR, and minimise damage from a potential

incident . Once a procedure is defined, you

should have the ability to gather metrics

that show where you need to improve .

Preapproved playbooks can help you find

the areas where to improve organisational

deficiencies most effectively . If you choose

a SOAR solution well, automation can be a

valuable tool for your team to help it focus on

more important work, without getting lost in

manual, tedious tasks .

Curious about how LogRhythm can help you? Let one of our experts

show you. Schedule a demo today. www.logrhythm.com/demo

http://www.logrhythm.com/demo

About LogRhythm

LogRhythm is a world leader in NextGen SIEM, empowering thousands of

enterprises on six continents to successfully reduce cyber and operational

risk by rapidly detecting, responding to and neutralising damaging

cyberthreats . The LogRhythm NextGen SIEM Platform combines advanced

security analytics; user and entity behaviour analytics (UEBA); network

detection and response (NDR); and security orchestration, automation, and

response (SOAR) in a single end-to-end solution . LogRhythm’s technology

serves as the foundation for the world’s most modern enterprise security

operations centres (SOCs), helping customers measurably secure their

cloud, physical, and virtual infrastructures for both IT and OT environments .

Built for security professionals by security professionals, the LogRhythm

NextGen SIEM Platform has won countless customer and industry

accolades . For more information, visit logrhythm .com .

26 | About

http://logrhythm.com

+44 (0)1628 918 330 // europe@logrhythm .com // Regional HQ, Clarion House, Norreys Drive, Maidenhead, SL6 4FL, United Kingdom

mailto:[email protected]

Practical use cases for SOAR - gallery.logrhythm.com · Practical use cases for SOAR ... make a...

Documents

Transcript of Practical use cases for SOAR - gallery.logrhythm.com · Practical use cases for SOAR ... make a...