Security Orchestration Automation and Response (SOAR) is taking the security industry by a storm. Gartner coined the term in 2015—the same year as the founding of Demisto—and, since then, SOAR solutions have achieved a growing market share. Security Operations Centers (SOCs) are getting rid of custom or limited-use case management and chat systems, and moving their entire workflows over to their SOAR tool. SOCs are automating mundane tasks such as basic malicious domain blocking and focusing on harder problems like developing indicators of attack chains based on specific adversary Tactics Techniques and Procedures (TTPs).
SOAR is an obvious solution for traditional SOC monitoring which includes many mundane, manual tasks. Simple, well-defined tasks with clear inputs and outputs are easy to automate. Threat hunting on the other hand, is a complex task with unclear inputs and outputs. Threat hunters have to be creative and generate hypotheses to test in the environment. Hunters should explore data and be ready to pivot to new hypotheses after initial exploration. What value then, can SOAR bring to threat hunting? Palo Alto Networks' Cortex XSOAR platform simplifies and improves threat hunting to empower rapid and comprehensive hunts.
The beginning of any hunt is a good hunt hypothesis. Threat hunters can generate good hypotheses using Cortex XSOAR’s threat intelligence management and intelligence feed integrations. Following the generation of hypotheses, hunters will come up with methods and queries to test their hunt hypotheses. Hunters can map out their plan in a Cortex XSOAR Work Plan tab and execute against that plan. If new information arises, they can easily update the Work Plan for an agile hunt. They can place all queries that they develop or find through research in their work plan and execute those queries at the click of a button. Then hunters’ time and energy during the hunt can be focused on creative investigations based on emerging data.
Single Pane of Glass
Switching between several tools takes time away from testing hypotheses and generating new, creative ideas. Typing IP or MAC addresses introduces chances of small human error which can create unnecessary delays. Hunters also have to take good notes so that they can track the status of the hunt across multiple tools. Cortex XSOAR’s single pane of glass eliminates this problem. Hunters can execute all of their hunting actions from Cortex XSOAR via integrations with those tools. To track the status of the hunt, easy to make dashboards will contain whichever data hunters need to visualize current status.
Collaboration with Fellow Hunters
If the hunting team has multiple people working on the same hunt simultaneously, Cortex XSOAR will significantly ease collaboration. All hunters will see the hunt information update in real time and can track one another’s progress to allow deconfliction without significant delays. As hunters gather artifacts, they can add them to the evidence board for other hunters to see. Hunters can also add notes and chat with one another as desired.
At the end of the threat hunt, hunters will owe a report to the customer. Hunters spend a lot of time transferring their notes into clean, standardized report formats for the customer. Cortex XSOAR generates automated reports from case data, and hunters can generate reports or at least parts of their reports with ease. Hunters can design report formats and then have their case generate a report of that format with the click of a button.
Moving on to the Next Hunt
Threat hunts should be creative and new. If hunters are doing the same hunt over and over, they are wasting time which can be spent on new hunts. Once analysts have completed a hunt, they can automate it for use by other teams. Those teams can then run those hunts automatically and focus their attention on more challenging problems. In some cases, they may be able to pass these automated hunts to security monitoring teams to generate detections.