SOAR Use Case: Data Loss Prevention (DLP) Alert Triage
While a SOAR solution is architected to operate heavily on the strength of its integrations with 3rd party solutions and its ability to verify and respond to alerts generated by those platforms, not all potential threats or security events are first identified by a security solution. Many come from individual users, either being reported directly to the security operations team through various communication methods like email or Slack, or they are sent to the IT operations team where they are recorded in a trouble ticketing system like ServiceNow. And while these may not always be immediately critical threats, they often require quick intervention by the security team to prevent disruptions in normal operations. Many organizations, however, are hindered by the slow, manual processes they have in place for dealing with user reported threats.
Devo SOAR playbooks can be set up to investigate and respond to user reported incidents in many different formats. For example, one playbook can automatically retrieve and analyze user reported phishing attempts from a SOC inbox, extract relevant details from the emails, perform rapid investigations, and execute the proper incident response processes. Another might be set up to watch for security-related requests entered into a trouble ticketing system, like a password reset request. The playbook could automatically extract user data, look for any IOCs like unusual authentication or other activity by the user, check with the user if the request is legitimate, and based on the results either notify the user via text that the password has been reset or notify the appropriate resource that the account has been compromised.