SOAR Use Case: Automating Threat Hunting in AWS CloudTrail Logs
GitHub is frequently a repository for confidential intellectual property (IP). An attacker accessing the right github repository can steal critical proprietary information about product roadmaps, unresolved bugs, product vulnerabilities, etc. In the wrong hands, this information can be incredibly damaging to a company.
Devo SOAR playbooks can automatically baseline GitHub activity, profiling a broad range of data points, including the typical number of GitHub repositories and authorized users, unique logins from specific IP addresses, and the expected behavior of individual users within the repository. This establishes a profile of expected behavior that can be used to identify when a user is behaving abnormally. Rather than waiting for indications that a breach has occurred, Devo SOAR can proactively hunt for suspicious activity and automatically disable an account before it is used to perform malicious actions like stealing critical data.