SOC Solutions Bundle

the soc solutions bundle is a solution bundle that is made of four smaller, interconnected solutions phishing triage, alert triage, threat intelligence (ti), and case and incident management (cim) phishing triage and alert triage are the primary ingestion workflows, processing incoming events into signals in the cim application the ti solution extension is used to enrich observables extracted from incoming cases combined, the four solutions create a powerful set of workflows to efficiently and effectively triage and manage critical security events let's dive into what these solutions do as part of the soc solutions bundle alert triage how it works the alert triage solution is composed of several playbooks that triage events from a siem, xdr, edr, or other security alert source you can use either a webhook to push alerts from your source into turbine, or a bulk ingestion component in the solution to pull alerts each alert is processed to identify and extract the important observables a signal is created in the case and incident management (cim) application and populates relevant alert data then the threat intelligence (ti) application evaluates observables discovered in your alert to categorize, evaluate, and prioritize the event before mitigation or remediation you can configure the solution to work with any number of siems, xdrs, edrs, or other security tools similarly, you can customize playbook actions to fit any company’s existing or preferred soc processes capabilities the alert triage solution provides connectors, assets, and playbooks for triaging alerts from security information and event management (siem), (extended detection and response) xdr, or endpoint detection and response (edr), etc products automates ingestion of alerts via webhook or api request summarizes alert data enriches observables and identifies actionable data feeds into case and incident management application phishing triage how it works the phishing (email) triage solution is composed of several playbooks that process emails that users submit because they suspect them to be phishing attempts the solution extracts the critical information from the email (such as observables) and attaches them to a new signal in the cim application then threat intelligence providers, configured in the ti application, evaluate the observables discovered in the suspected phishing email a rendered image of the suspected phishing email is also generated to provide a safe way to view the contents of the email additionally, the solution automatically saves email attachments to the ti record for security reasons, this functionality is disabled by default to configure, review the configuration information below additionally for security reasons, an image of the original email is saved as part of the case rather than the original content turbine users can customize the phishing triage playbooks to fit any company’s existing or preferred soc processes capabilities the phishing triage solution has the following capabilities provides connectors, assets, and playbooks for triaging reported phishing emails automates ingestion of emails with reported phishing emails attached summarizes reported phishing email data enriches observables and identifies actionable data feeds into case and incident management application threat intelligence how it works the threat intelligence (ti) solution works with one or more threat intelligence providers to enrich the observable evidence extracted in the phishing triage and alert triage solutions when a ti record is created, several playbooks evaluate the observable against the intelligence provided by the intelligence providers the results are used to update the ti record, which is associated with the signal being triaged capabilities the threat intelligence solution provides connectors, assets, and playbooks for enriching ti observables allows configuration of multiple threat intelligence providers, including a configurable primary trusted intelligence provider per observable type (domain, ip, etc ) allows automated enrichment of observables identified from alert and phishing triage playbooks and ad hoc searches through the cim application workflow case and incident management how it works the cim solution works with the alert triage and phishing triage solutions to create and manage signals for each event being investigated the created signals serve as the primary interaction point for investigations, showing the details, status, and next steps for each signal signals that are identified as true positive or important can be escalated to case status if cases are deemed to be impactful to security, they can be promoted to incidents turbine users can customize the cim playbooks to fit any company’s existing or preferred soc processes capabilities the case and incident management solution provides an interactive user interface for triaging reported phishing emails from the phishing triage solution triaging alerts from the alert triage solution viewing, interacting with, enriching, and adding observables via the threat intelligence solution documenting research and notes regarding an investigation providing investigation details and knowledge base articles collecting granular metrics such as mttr, mttd, dwell time, etc identifying mitre att\&ck phases working an investigation through its entire lifecycle, from signal ingestion through case and incident escalations, remediation, and resolution workflow