- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
XSOAR is a Security Orchestration, Automation and Response platform. Generally speaking, this means that we perform the right response, orchestrated from a central platform, while automating the annoying and repeatable tasks which slow us down.
Using the commonly known language and used Incident Response Cycle, XSOAR strives in the area of analysis, containment and remediation. As a great feature, our Playbook design tool also follows the standard flow diagram model from Process and Use Case design.
Many companies struggle when working with XSOAR, as our out-of-the-box playbooks have been curated and improved over the years and seem to be complex for many companies whose current processes are smaller or for those who haven’t started building out their processes.
Like in Process design, the whole approach is rather small and contains three components: Input, Processing and Output.
XSOAR adds benefits for you, such as:
A new Playbook should be minimalistic in the approach to take a certain input and come to a certain output. Trust me when I say that a Playbook will grow once you get the hang of XSOAR and you add more tools and integrations to your processing steps.
The basic processing of Incidents should contain of the standard steps like:
Using the “extractIndicators” on certain parts of the incident data will give you a list of all indicators within the incident. This list can be fed into the “enrichIndicators” task in order to query 3rd party enrichment like VirusTotal, Alienvault OTX, IPinfo. These and so much more are available on our Marketplace.
Now with all the data in place we can estimate the overall severity of an incident. The “DbotAverageScore” is a great starting point, until you find a way that is most comfortable to you to handle. It will simply compute a score based on all the different indicator scores.
Once you get used to XSOAR and all the possibilities, you may add different tasks and steps to these playbooks and start to specialize them based on the remediation steps.
Some sub-playbooks you may want to consider are:
As a site note, you can of course also create an “Crown Jewel” indicator type and save all the IP addresses in the standard indicator library with a high severity, so it will impact the average verdict of an incident.
We should also discuss the idea of remediation at this point. Remediation describes all the steps you want to take as part of the containment of an incident or the recovery from it. This can also be a ticket you open somewhere or an email you send. If this is the case, the whole remediation part becomes a single task at best.
Depending on the incident type, we also offer some remediation playbooks you can easily add to your current playbook. For this, simply open the Task Library and select the Playbook which suits your situation best. Keep in mind that many of the Marketplace Content Packs will expand these remediation tasks based on the specific integration you are using. Many firewall integrations will provide the specific steps you need to take in order to block an IP, for example.
As always, be excellent to each other and read you soon!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Subject | Likes |
---|---|
2 Likes | |
1 Like | |
1 Like | |
1 Like | |
1 Like |