Installing SOC Solutions Bundle

the soc solutions bundle is a solution bundle that is made of four smaller, interconnected solutions phishing triage, alert triage, threat intelligence (ti), and case and incident management (cim) for more information, see the corresponding sections this installation and configuration documentation is for the canvas version of the soc solutions bundle only important definitions ingestion component a component or set of components that interact with a vendor endpoint, such as run a siem search, look up observable reputation, or initiate a remediation action normalize inputs and outputs using interfaces to enable swappable component usage convert various 3rd party alerts, reputations, emails, and so on to a common schema for use in turbine solutions such as soc solutions turbine extendable data schema (teds) turbine's native common schema for interacting with alerts, emails, reputations, and so on install from library follow these steps navigate to the swimlane content library from your desired tenant, click library click swimlane content install soc solutions bundle select soc solutions bundle from the list of solutions click install on the solution you may be prompted to overwrite content if some content already exists in your environment you can avoid overwriting content by deselecting the items you do not wish to overwrite, and it will still work but if you deselect too many items that are not being overwritten, you will not import the full solution once you have installed the soc solutions bundle, it is time to configure it to ingest data from your tools for your use cases for siem, xdr, or edr alert triage, see soc alert ingestion (cron) template playbook overview docid\ jpm042oqzgtjzelnj0r2u and soc alert ingestion (webhook) template playbook overview docid\ i39a92kq5e0jf28q3vr1a for phishing triage, see soc bulk ingest phishing emails template playbook overview docid 4wfexdmjq73 a5sargdbf once you have configured one or more alert sources, you might want to add threat intelligence to enhance your observables see configure threat docid\ bri2lhcwo f6cp1k2nm7h lastly, you may want to configure cim for your particular needs see configure custom case and incident management data mappings docid ccrl0 81x3csgl7mm6bw configure included assets in order to use 3rd party tools for ingestion, enrichment, and so on, you must configure the assets for the tools you wish to use navigate to orchestration > assets configure all supplied assets for 3rd party technologies you wish to use, that is, virustotal, recorded future, abuse ch urlhaus, ipqualityscore configure custom assets the soc solutions bundle contains a number of custom assets whose purpose is to allow you to configure variables used in one or more playbooks or components without having to edit those playbooks or components directly open the observable parser ignore lists asset enter csv lists of ip cidr ranges and domains you wish to exclude from observable ingestion, for example mycompany com, outlook com, swimlane com, o365 com 10 0 0 0/8, 192 168 0 0/16, 172 16 0 0/12 open the ti primary intelligence providers asset if you wish to change the primary provider for any ti types, do so here there must be valid and configured enrichment sources for more information, see configure threat docid\ bri2lhcwo f6cp1k2nm7h