SOC Solutions Bundle

the soc solutions bundle consists of four interconnected solutions phishing triage, alert triage, threat intelligence (ti), and case and incident management (cim) phishing triage and alert triage are the primary ingestion workflows that process incoming events into signals in the cim application the ti solution enriches observables extracted from incoming cases together, these four solutions provide workflows to triage and manage critical security events the ai agents case management extension enhances the soc solutions bundle with hero ai powered analysis capabilities, providing automated threat analysis, verdict classification, and actionable recommendations to accelerate soc analyst workflows solutions overview alert triage how it works the alert triage solution is composed of several playbooks that triage events from a siem, xdr, edr, or other security alert source you can use either a webhook to push alerts from your source into turbine, or a bulk ingestion component in the solution to pull alerts each alert is processed to identify and extract the important observables a signal is created in the case and incident management (cim) application and populates relevant alert data then the threat intelligence (ti) application evaluates observables discovered in your alert to categorize, evaluate, and prioritize the event before mitigation or remediation you can configure the solution to work with any number of siems, xdrs, edrs, or other security tools similarly, you can customize playbook actions to fit any company’s existing or preferred soc processes capabilities the alert triage solution provides connectors, assets, and playbooks for triaging alerts from security information and event management (siem), (extended detection and response) xdr, or endpoint detection and response (edr), etc products automates ingestion of alerts via webhook or api request summarizes alert data enriches observables and identifies actionable data feeds into case and incident management application phishing triage how it works the phishing (email) triage solution is composed of several playbooks that process emails that users submit because they suspect them to be phishing attempts the solution extracts the critical information from the email (such as observables) and attaches them to a new signal in the cim application then threat intelligence providers, configured in the ti application, evaluate the observables discovered in the suspected phishing email a rendered image of the suspected phishing email is also generated to provide a safe way to view the contents of the email additionally, the solution automatically saves email attachments to the ti record for security reasons, this functionality is disabled by default to configure, review the configuration information below additionally for security reasons, an image of the original email is saved as part of the case rather than the original content turbine users can customize the phishing triage playbooks to fit any company’s existing or preferred soc processes capabilities the phishing triage solution has the following capabilities provides connectors, assets, and playbooks for triaging reported phishing emails automates ingestion of emails with reported phishing emails attached summarizes reported phishing email data enriches observables and identifies actionable data feeds into case and incident management application threat intelligence how it works the threat intelligence (ti) solution works with one or more threat intelligence providers to enrich the observable evidence extracted in the phishing triage and alert triage solutions when a ti record is created, several playbooks evaluate the observable against the intelligence provided by the intelligence providers the results are used to update the ti record, which is associated with the signal being triaged capabilities the threat intelligence solution provides connectors, assets, and playbooks for enriching ti observables allows configuration of multiple threat intelligence providers, including a configurable primary trusted intelligence provider per observable type (domain, ip, etc ) allows automated enrichment of observables identified from alert and phishing triage playbooks and ad hoc searches through the cim application workflow case and incident management how it works the cim solution works with the alert triage and phishing triage solutions to create and manage signals for each event being investigated the created signals serve as the primary interaction point for investigations, showing the details, status, and next steps for each signal signals that are identified as true positive or important can be escalated to case status if cases are deemed to be impactful to security, they can be promoted to incidents turbine users can customize the cim playbooks to fit any company’s existing or preferred soc processes capabilities the case and incident management solution provides an interactive user interface for triaging reported phishing emails from the phishing triage solution triaging alerts from the alert triage solution viewing, interacting with, enriching, and adding observables via the threat intelligence solution documenting research and notes regarding an investigation providing investigation details and knowledge base articles collecting granular metrics such as mttr, mttd, dwell time, etc identifying mitre att\&ck phases working an investigation through its entire lifecycle, from signal ingestion through case and incident escalations, remediation, and resolution workflow ai agents case management extension the ai agents case management extension enhances the soc solutions bundle with hero ai powered analysis capabilities the extension provides automated threat analysis, verdict classification, and actionable recommendations to accelerate soc analyst workflows the extension integrates with the case and incident management (cim) application and includes three specialized hero ai agents investigation agent provides immediate visual verdict, severity, and actionable recommendations verdict and threat intelligence analysis agent delivers case summary and threat classification with confidence scores mitre att\&ck & d3fend agent maps and enriches ttps with defensive recommendations prerequisites install the soc solutions bundle before installing the extension workflow the soc solutions bundle provides an integrated workflow ingestion alerts and phishing emails are ingested via alert triage and phishing triage solutions signal creation signals are created in the cim application with extracted observables threat intelligence enrichment observables are enriched via the threat intelligence solution hero ai analysis (optional with extension) hero ai analysis provides additional insights when the ai agents case management extension is installed investigation analysts review signals, cases, and incidents in the cim application resolution cases are escalated, remediated, and resolved with full lifecycle tracking for detailed information about installation, configuration, and usage, see the docid\ knb0auvuq4tb 5s13xbwd