Flashcards in SECOPS 12: SOC WMS and Automation Deck (18)
Tags/ID's, tracks a security event, and tracks the actions to deal with the event
Tool to orchestrate & automate IR process
SOAR stands for
Security Orchestration Automation and Reporting
System that performs containment and eradication
Flow-chart style. One step to the next
Progress from state to state
Rules dictate process
Guides analysts through the triage and response procedure
IR lifecycle (4)
Detection and Analysis
Containment, Eradication, Recovery
Post incident activity
Tier 1 Analyst
Monitors alerts, triages security alerts, Collects data to escalate to Tier 2
Tier 2 Analyst
Deep IA by correlating data. Determines affect. Advises on remediation.
Manages incident. Executes containment. Comms.
Gather, analyze data for investigation. Maintains data integrity.
Reverse engineering specialist
ID's TTP's and IOC's. Signature writing.
Used to send/receive data between tools
Command line API's
Often one off uses between WMS and other systems