This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Guidance on Testing Playbooks with Simulated Cases

Posted on 10-16-2024 02:15 PM
bein
Bronze 2
Bronze 2
Reply posted on --/--/---- --:-- AM

Hi all,

I’m currently working on testing playbooks in my environment and looking for the best practices when it comes to running simulated cases. Specifically, I’d like to know if there’s a way to automatically create cases based on actual events occurring within my environment to help simulate more realistic scenarios.

If anyone has experience with this or can provide guidance on how to automate these test cases effectively, that would be greatly appreciated. I’m also interested in hearing how others approach playbook testing in general.

Thanks in advance!

Solved Solved
0 1 421
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Hi Bein, 

There's quite a few ways to do this.  You could start out with some benign testing, using something such as a powershell or dos command(assuming this data goes to SecOps).  Create an rule for the cli output and set the rule to live.  Once the case gets into SOAR, you would click on the case, select the event and then hit the 3 cirlces on the right to "ingest as test case". This would allow you test playbook triggers, some opportunities for integrations/enrichments and workflows.   

You could also ingest data using the ingestion API or setup a bindplane agent on some windows devices and potentially run some scenarios through that mechanism.  

I am fortunate, I can use the Mandiant Security Validation toolset on my devices which funnels into my SecOps instance and from there I can produce events that trigger alerts ultimately creating cases.  

Everything really starts with rules though on the SIEM side which create alerts which turn into cases.  Cases then can trigger playbooks accordingly.   Hope that helps.  

View solution in original post

Jump to Solution
1 REPLY 1

Posted on --/--/---- --:-- AM
dnehoda
Staff
Reply posted on --/--/---- --:-- AM

Hi Bein, 

There's quite a few ways to do this.  You could start out with some benign testing, using something such as a powershell or dos command(assuming this data goes to SecOps).  Create an rule for the cli output and set the rule to live.  Once the case gets into SOAR, you would click on the case, select the event and then hit the 3 cirlces on the right to "ingest as test case". This would allow you test playbook triggers, some opportunities for integrations/enrichments and workflows.   

You could also ingest data using the ingestion API or setup a bindplane agent on some windows devices and potentially run some scenarios through that mechanism.  

I am fortunate, I can use the Mandiant Security Validation toolset on my devices which funnels into my SecOps instance and from there I can produce events that trigger alerts ultimately creating cases.  

Everything really starts with rules though on the SIEM side which create alerts which turn into cases.  Cases then can trigger playbooks accordingly.   Hope that helps.  

Jump to Solution
Top Solution Authors
View all