Dear Community, please can anyone share how Siemplify is being leveraged in proactive threat hunting?
Proactive threat hunting
+7
+9
Siemplify will always be in response to something but that doesn't mean we can't get proactive in some interesting ways. Just playing with the idea:
+9
Looks like the
MISP - Triage and Investigation
use case also has some threat hunting concepts in there as well
+5
Indeed! If one could document a procedure they generally follow with threat hunting, one could for sure use a SOAR tool to complete it.
You could setup a job to do
whatever
at some time interval or designated time.
Or, like Andrew said, you could have the automation kick off based on some newly received intel.
For instance, say a notification comes in that APT28, known to target your sector, has been seen abusing CVE-x-x. A playbook could kick off that pulls your vulnerability data for that CVE.
Then another action runs to check abnormal communications for affected devices.
Another action creates tickets for the SOC to investigate and for the patch team to patch.
Very basic example
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.