Solved: Re: Automating EDR Alerts with a Custom List in SO...

dnyaneshwar · 10-14-2024 07:21 AM

Hello Security Community Members,

I hope you’re all doing well!

We are currently working on improving our Endpoint Detection and Response process. We want to use manual analysis for some events or alerts and add summaries of false positive hash values to a custom list for future reference.

The idea is that if we encounter the same event with the same hash value in the future, we’d like to pull that analysis from our custom list instead of doing the manual work all over again.

I’m looking for some guidance on how to set this up in our SOAR playbook. Specifically:

How can we configure the playbook to first check the custom list when an alert is triggered?
What’s the best way to implement the logic that allows us to either reference the analysis from the custom list or continue with our normal incident response process? (but first look into custom list)
Are there specific conditions we should use to make this work smoothly?

I’d appreciate any tips or examples from anyone who has done something similar.

Thanks so much for your help!

Thanks,

pigram86

If you want to do custom lists, start buy making a list, the category is important as you will be calling that.

then for a playbook you could do something like this based on your EDR product trigger, then check to see if it is on the 'False Positives' list then use the 'Previous Actions Flow' to close if on the list and do whatever else is typical in your environment on the else branch.

Just remember to also check to make sure the hashes, IPs or whatever is on that list is always a FP.

View solution in original post

AymanC

Hi @dnyaneshwar.,

There's 3 sort of actions you can perform for custom lists -

'Add to Custom List', 'Is in Custom List', 'Remove from Custom List'.

EDR Trigger -> Check if XXX is in custom list already - If yes -> close case / require analyst to confirm if custom list is still suffice for XXX entry

EDR Trigger -> Check if XXX is in custom list - If no -> Perform XXX investigation via playbook or analyst. -> Add prompt for analyst (General question maybe) to enter XXX values that need to be added into custom list.

Hope this helps!

Kind Regards,

Ayman

View solution in original post

pigram86

If you want to do custom lists, start buy making a list, the category is important as you will be calling that.

then for a playbook you could do something like this based on your EDR product trigger, then check to see if it is on the 'False Positives' list then use the 'Previous Actions Flow' to close if on the list and do whatever else is typical in your environment on the else branch.

Just remember to also check to make sure the hashes, IPs or whatever is on that list is always a FP.

dnyaneshwar

Hello pigram86,

Thank you for the recommendation on handling false positive EDR alerts. I just wanted to check one more thing: do we need to manually add false positive IOCs, such as IPs, hashes, or domains, into the custom list, or can we define a block in the SOAR playbook to add those IOCs automatically? or through SOAR playbook?

Thanks,

Dnyaneshwar

AymanC

Hi @dnyaneshwar.,

There's 3 sort of actions you can perform for custom lists -

'Add to Custom List', 'Is in Custom List', 'Remove from Custom List'.

EDR Trigger -> Check if XXX is in custom list already - If yes -> close case / require analyst to confirm if custom list is still suffice for XXX entry

EDR Trigger -> Check if XXX is in custom list - If no -> Perform XXX investigation via playbook or analyst. -> Add prompt for analyst (General question maybe) to enter XXX values that need to be added into custom list.

Hope this helps!

Kind Regards,

Ayman

dnyaneshwar

Hello Ayman,

Thanks for your recommendation; it was helpful for us to understand the custom list flow.

Thanks,

Dnyaneshwar

Webinar May 29th: Log Ingestion: Bindplane + Google SecOps

Automating EDR Alerts with a Custom List in SOAR