SOAR Use Case: Alert Triage – EDR Alert Triage

Endpoint detection and response (EDR) is one of the most critical components of breach
prevention by detecting and responding to attacks, since almost any attack targeting data eventually ends up on an endpoint. But while EDR products give deep and broad visibility to what is happening on endpoints, they are also noisy, with limited capabilities for automatically analyzing data to identify specific attacks. They typically generate too many alerts with a high volume of false positives, making it difficult for security analysts to know which threats they need to address, slowing down the detection and response process.

Devo SOAR can automatically analyze events and alerts from an EDR solution and perform
actions like identifying relevant Incidents of Compromise (IOCs) and correlating multiple instances of suspicious activity. For example, when an EDR alert is received, the source IP can be extracted and sent to one or more threat intelligence platforms for analysis, and reputation scores can automatically be added to the associated case. Devo SOAR can also take additional actions, such as retrieving user data or potentially overlooked alerts for additional analysis. Automated decision making and triage with Devo SOAR enables you to focus your time on rapidly responding to true positive threats.