In the dynamic world of cybersecurity, the importance of efficient and effective security operations cannot be overstated. Security Orchestration, Automation, and Response (SOAR) tools have emerged as a powerful solution to streamline repetitive tasks and create custom workflows. However, they come with their own set of challenges. This is where Intezer steps in, offering a unique solution to enhance your SOAR capabilities and achieve true automation for your alert triage and incident response processes.
Challenges of SOAR Automation
SOAR products are extremely beneficial tools that are designed to automate repetitive tasks and create custom workflows across multiple security systems. However, they often require significant human involvement and decision-making for most alert triage related playbooks. This can lead to potential human error and increased workload for your security team. Additionally, setting up SOAR tools often requires custom engineering, which can be time-consuming and complex.
Those challenges and more, prevent many security teams from truly automating Tier-1 and Tier-2 tasks, leaving them with the existing resource shortage issues that they hoped to solve with automation.
Supercharge your SOAR with Intezer
True Alert Triage Automation (Without Complex Playbooks)
Intezer offers a unique solution to bridge those gaps and make the most out of any SOAR product. With its automated alert investigation technology and a simple webhook integration, we provide an easy way to incorporate smart decision making into your new or existing playbooks.
For example, instead of engineering a custom playbook that collects multiple evidence for a Crowdstrike alert, analyze each piece of evidence and then build complex logic to come up with an incident-wide conclusion, Intezer already does that for you, providing a clear triage assessment that has been abstracted into a simple block in your SOAR playbook. That way, you can reduce the need for human involvement as well as complicated and hard-to-maintain custom engineering.
A human-like decision making component for your playbooks
Intezer’s alert triage assessment includes important information resulted from an automated alert investigation, such as:
- Verdict (is it a false positive? True positive?)
- Risk level (is it a critical threat or just unwanted software?)
- Does it require immediate attention and should be escalated?
- Associated threat actor or malware family
- IOCs from all the pieces of evidence that are associated with the alert
- Analysis results of every piece of collected evidence
- Recommended next steps
Traditionally, getting to such conclusions (for example, deciding if a certain alert is a false positive) requires human involvement, even in cases of well-implemented SOARs. However, since Intezer mimics the skills of a human analyst, you get those conclusions as a simple JSON object which you can use to power your automation strategy.
Simply put, the decision-making information described above is the missing piece of the puzzle to achieve true automation of Tier-1 and Tier-2 tasks with your SOAR.
How to Incorporate Intezer’s Smart Decision Making into Your SOAR
Integrating your endpoint security (EDR)
In order for Intezer to send triage assessments to your SOAR, you first need to make sure to integrate Intezer with one of our supported endpoint security products (mainly Crowdstrike, SentinelOne and Microsoft Defender). That way, Intezer would investigate all your alerts automatically and create an alert report which will then be sent to your SOAR.
Setting up a webhook
Setting up a webhook is a crucial step in integrating Intezer into your SOAR tool. This will allow you to receive real-time alert triage assessments. Most SOAR tools provide an easy way to generate a webhook URL that could be used by other systems to push data.
Once you generate a webhook URL within your SOAR, you should send the URL to our support (firstname.lastname@example.org) which will set it up behind the scenes. Once set up, your SOAR should immediately receive alert investigation data.
Please refer to our documentation for more information about the topic.
Recommended workflows and how to use Intezer’s investigation data in your playbooks
In our documentation we provide an example JSON object structure that represents the Intezer triage assessment.
While there are numerous use cases and playbooks that can benefit from Intezer’s alert triage assessment, we highly recommend incorporating it into these key workflows:
- Resolving False Positives: Intezer’s assessment can be used to automatically resolve or de-prioritize tickets that have been identified as false positives. This can also include automatically excluding relevant hashes from future alerts, reducing the noise and allowing your team to focus on genuine threats.
How? Use the “response.user_recommended_actions” field or the “response.status” field to determine if the alert is a false positive. We recommend removing or deprioritizing tickets accordingly.
- Escalation of Urgent Incidents: If an incident was determined by Intezer to be of high urgency, you can trigger immediate notifications, ensuring that your team is alerted promptly and can respond effectively. Alerts that have not been escalated by Intezer can be reviewed in a periodic manner, as they likely don’t require your team’s attention.
How? If “response.status” is “escalated”, we recommend to trigger high urgency notifications such as pager duty.
- Enrichment: Intezer’s assessment can provide valuable information to enrich your existing tickets/cases, providing deeper context and aiding in the investigation and response process.
How? We recommend using the “triage_result”, “response” and “scans” field. We would also recommend using the “alert_id” field to link to Intezer’s portal for deeper, visual investigation: “https://analyze.intezer.com/alerts/[alert_id]” which could be added to tickets .
Powerful Automation for Incident Response Tasks
Incorporating Intezer’s smart decision-making into your SOAR tool can truly automate Tier 1-2 investigations, enhancing your security operations and reducing the workload for your team. We’re excited to help you on this journey and are always here to provide support and feedback along the way. By leveraging Intezer’s capabilities, you can expect to see a significant impact on your security operations.