![]() ![]() Using an out-of-the-box search designed for Splunk Enterprise Security, we can detect Powershell commands that have been encoded. Since automation is so powerful, I wanted to show a simple workflow that is a big timesaver that has helped many organizations I work with today. This was especially useful on weekends when I could not complete the tasks until Monday. These automation playbooks would interact with our firewall or EDR solution to perform containment actions in a few seconds. I used the community edition to perform simple enrichment tasks and later moved on to using full SOAR capabilities to conditional remediate events based on severity. Phantom opened up a new world of automation I had no time to create. I then came across Splunk SOAR, known as Phantom at the time. After a while, I graduated with more complex automation scripts, but they still weren’t as effective as they could be. Not impressive automation, but it saved me a few clicks. It would launch multiple browsers plugging in the IOC into multiple reputation sources, so I didn’t have to perform the task manually. For example, I created a script where I could input an IOC. ![]() ![]() I eventually created simple scripts to aid in my incident response so I was not spending time just getting the information I needed.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |