Right, let’s talk SIEM and SOAR. Not just in theory, but how we’ve been actually using them to dramatically improve our network defence – cutting through the noise and focusing on what really matters. I want to share some things I’ve learned along the way, particularly about integrating these two powerhouses and automating our workflows. This is for folks who are already in the trenches, wrestling with SIEM and SOAR daily.
The Problem: Alert Fatigue is Real (and Expensive)
We all know the story. A deluge of alerts from our SIEM, many of them false positives. Analysts spend hours chasing shadows, while genuine threats slip through the cracks. The perimeter is protected by next gen firewalls with AI and all sorts, it’s monitored by endpoint protection that is next level and even the cloud environment is watched 24×7 by the best tools – yet still they come. To truly enhance our network defence, we need to do more. This is where proactive measures such as dark web monitoring can help. Being able to be pre-emptive by searching for breached credentials and planned exploits has been a real game changer to enhance the whole network defence. Even with this it can still be too much. Our solution was to look at how SOAR could automate our investigation process. We can automate our incident response, freeing up time for the analysts to do what only they can do.
Context is King (and SOAR is the Royal Messenger)
The real magic happens when you enrich SIEM alerts with external context. This is where SOAR comes in. Think threat intelligence feeds, asset criticality information, user roles – anything that paints a fuller picture. Here’s a snippet of how we use the MISP API to add threat intel to our alerts. This has been a real game changer and makes all the difference in identifying potential attacks.
“`python
import requests
import json
misp_url = ‘https://your_misp_instance’
misp_key = ‘your_misp_api_key’
headers = {
‘Authorization’: misp_key,
‘Content-Type’: ‘application/json’,
‘Accept’: ‘application/json’
}
def query_misp(ioc):
data = {‘value’: ioc}
response = requests.post(f'{misp_url}/attributes/restSearch’, headers=headers, json=data, verify=False)
if response.status_code == 200:
return response.json()
else:
print(f’Error querying MISP: {response.status_code} – {response.text}’)
return None
alert_ioc = ‘192.168.1.100’ # Example IP address from SIEM alert
misp_results = query_misp(alert_ioc)
if misp_results and misp_results[‘response’]:
print(f’MISP found matches for {alert_ioc}:’)
for event in misp_results[‘response’]:
print(f’ – Event ID: {event[‘Event’][‘id’]}, Threat Level: {event[‘Event’][‘threat_level_id’]}’)
else:
print(f’No matches found in MISP for {alert_ioc}’)
“`
We then use this information in our SOAR playbooks to automate the next steps. This could be anything from isolating the affected host to generating a high severity incident for the SOC.
Building Automated Threat Detection and Response Workflows
The core of our approach is building SOAR playbooks that integrate directly with our SIEM. For example, when our SIEM detects a suspicious login attempt (multiple failed logins followed by a successful one), the SOAR platform springs into action. We’ve automated the following steps:
- Enrichment: Pull user information from Active Directory, asset criticality from our CMDB, and threat intelligence from our MISP and commercial feeds (like VirusTotal).
- Analysis: Based on the enriched data, determine the potential impact. Is the user a member of the C-suite? Is the asset a critical server? Does the IP address have a bad reputation?
- Response: If the risk score exceeds a threshold, automatically disable the user account, isolate the affected host, and notify the security team. We have also added automated emails to alert the users if the account has been used from a new location, requesting if this was them or not. We have found the the users are the key to a strong network.
Integrating SIEM and SOAR Platforms: An Example with Splunk and Phantom
Here’s a simplified example of how we connect Splunk (our SIEM) and Phantom (our SOAR) using the Phantom REST API within a Splunk alert action:
xml
<alert>
<name>Suspicious Login Attempt</name>
<description>Multiple failed logins followed by a successful one</description>
<query>index=auth sourcetype=login_attempts failed=true | stats count by user | where count > 3 | append [search index=auth sourcetype=login_attempts successful=true | stats latest(_time) as last_success by user] | stats min(last_success) as last_success by user | where last_success > relative_time(now(), "-5m")</query>
<cron_schedule>*/5 * * * *</cron_schedule>
<actions>
<action>
<name>Run Phantom Playbook</name>
<type>script</type>
<param name="filename">phantom_playbook.py</param>
<param name="param.user">$user$</param>
</action>
</actions>
</alert>
And the Python script (phantom_playbook.py) called by Splunk:
“`python
import requests
import json
import sys
phantom_url = ‘https://your_phantom_instance’
phantom_key = ‘your_phantom_api_key’
playbook_id = 123 # Example Playbook ID
user = sys.argv[1] # Get the user from Splunk’s alert parameters
headers = {
‘ph-auth-token’: phantom_key,
‘Content-Type’: ‘application/json’
}
data = {
‘playbook_id’: playbook_id,
‘container’: {
‘name’: f’Suspicious Login for {user}’,
‘label’: ‘events’,
‘source_data_identifier’: user,
‘data’: [{‘user’: user}]
}
}
response = requests.post(f'{phantom_url}/rest/container’, headers=headers, data=json.dumps(data), verify=False)
if response.status_code == 201:
print(f’Successfully triggered Playbook {playbook_id} for user {user}’)
else:
print(f’Error triggering Playbook: {response.status_code} – {response.text}’)
“`
Streamlining Security Operations: The Payoff
This integrated approach has significantly reduced alert fatigue. The enhanced context allows us to quickly identify genuine threats and prioritize our response efforts. We’ve also seen a noticeable improvement in SOC efficiency. Automating repetitive tasks has freed up our analysts to focus on more complex investigations and proactive threat hunting.
By layering context enrichment and automation onto our existing SIEM infrastructure, we’ve moved beyond basic correlation to a more proactive and efficient security posture. The ability to tailor incident response plans to specific threat profiles has substantially strengthened our network defence capabilities. The increased efficiency in incident handling, coupled with reduced false positives, has significantly improved the overall effectiveness of our security operations. The proactive approach, integrating dark web monitoring and user feedback mechanisms, has added additional layers of defence. Ultimately, it’s about empowering your team to work smarter, not harder, and that’s where SIEM and SOAR really shine.