Please enable JavaScript.

Coggle requires JavaScript to display documents.

SOC - TOOLS - Coggle Diagram

- - - - ◇ Review Key Indicators such as failed logins, suspicious network activity, or policy violations.
      - ◇ Keep an eye on predefined or custom alerts triggered by rules set within Splunk.
      - ◇ Prioritize alerts based on risk level, alert severity, and potential business impact.
      - ◇ Use the Security Posture Dashboard to get a high-level overview of the current security state.
  - - - ▪ Cross-correlate logs from multiple sources (e.g., firewalls, intrusion detection systems, endpoint security logs) to gather evidence for each alert.
      - ▪ Use Drill-down capabilities in Splunk to dive deeper into specific events (e.g., drilling down into specific login attempts or firewall rule changes).
      - ▪ False Positive Management: If an alert is determined to be a false positive, document and update correlation rules to minimize noise in the future.
      - ▪ Use Splunk ES’s Incident Review panel to view alerts that need attention.
  - - - ▪ Use Splunk Adaptive Response actions (e.g., quarantining a host, disabling user accounts) directly from within Splunk ES.
      - ▪ Collaborate with IT or network teams to block malicious IPs, apply patches, or remediate vulnerabilities.
      - ▪ Post-incident Review: Document the incident, response activities, and lessons learned for post-incident analysis.
      - ▪ Follow your organization's incident response plan for containment, eradication, and recovery.
  - - - ▪ Use threat intelligence feeds integrated with Splunk ES to enrich event data and correlate external threat intelligence (e.g., IP blacklists, domain reputation) with internal logs.
      - ▪ Custom Searches: Modify or create custom searches to identify specific threats relevant to your environment.
      - ▪ Write and run correlation searches within Splunk to detect complex threats involving multiple indicators (e.g., combining login failures, suspicious file downloads, and network anomalies).
  - - - ▪ Parse and filter logs from firewalls, IDS/IPS, application logs, and system logs for specific patterns.
      - ▪ Create ad-hoc reports based on security incidents or log findings.
      - SPL Query (query checks for multiple failed logins followed by a successful login for specific users.)
        
        index=authentication action=failure OR action=success
        
        | stats count by user, src_ip, action
        
        | where count > 5
      - ▪ Write custom SPL queries to filter and search log data for deeper investigations.
  - - - ▪ Leverage MITRE ATT&CK framework searches and dashboards in Splunk ES for threat-hunting activities.
      - ▪ Investigate anomalous behavior such as unexpected spikes in network traffic, strange user activity, or uncommon command executions.
      - ▪ Use Splunk ES analytics to hunt for abnormal behavior, such as lateral movement, privilege escalation, or data exfiltration.
  - - - ▪ Produce reports on key performance indicators (KPIs) like MTTR (Mean Time to Respond), MTTD (Mean Time to Detect), and number of false positives.
      - ▪ Create compliance reports based on regulatory frameworks (e.g., PCI DSS, HIPAA) to show adherence to security policies.
      - ▪ Generate daily/weekly reports summarizing security incidents, alerts, and response efforts.
  - - - ▪ Refine rules based on feedback from previous incidents or false positives.
      - ▪ Create new rules based on evolving threats or changes in the environment.
      - ▪ Use Machine Learning Toolkit in Splunk to create models for anomaly detection.
      - ▪ Regularly review and update existing correlation searches and alert thresholds to improve detection capabilities.
  - - - ▪ Create searches that correlate internal events with known bad IPs, domains, or file hashes from threat feeds.
      - ▪ Update threat intelligence sources regularly to ensure that you are using up-to-date information for correlation.
      - ▪ Integrate external threat feeds (e.g., VirusTotal, Recorded Future, or open-source feeds) to enrich Splunk data.
  - - - ▪ Use Splunk’s Adaptive Response Actions to trigger actions like quarantining devices, disabling accounts, or blocking IPs automatically.
      - ▪ Participate in post-incident reviews to identify improvements in detection and response workflows.
      - ▪ Share investigation details and findings from Splunk with other teams to facilitate response efforts.
  - - - ▪ Follow security news and threat intelligence reports to adapt your security monitoring efforts accordingly.
      - ▪ Use Splunk’s built-in Security Content Exchange to apply new searches, dashboards, and alert rules designed for emerging threats.
      - ▪ Regularly attend training sessions on Splunk updates, new features, and threat detection techniques.
  - - - ◇ Respond to any confirmed security incidents using Adaptive Response Actions.
        ◇ Collaborate with IT to remediate affected systems.
    - - ◇ Use the Threat Hunting Dashboards to proactively search for indicators of compromise (IoCs) that might have gone unnoticed.
    - - ◇ Continuously monitor the Security Posture Dashboard for real-time alerts.
        ◇ Perform triage on medium and low-priority incidents, determining if further investigation is needed.
    - - ◇ Generate end-of-day reports on incident handling, response times, and any open investigations.