IncMan SOAR Anti-fraud Use Case

Back to all articles

Financial institutions are a constant target of intrusion attempts, which underlines the need for additional cyber security technologies that are capable of nullifying the risk of potential cyber attacks. However, the fact that financial institutions don’t have a way to better integrate their security tools with their SecOps teams means that their resources are being poorly distributed. Analysts are spending more time on false positives, while the real threats are left unattended. This decreases the optimal efficacy of the entire organization and reduces the ability of the SOC and CSIRT to properly respond to cyber attacks.

In this regard, by acting as connective tissue amongst security tools via orchestration and automation, IncMan SOAR allows SOCs to drastically reduce their response time to cyber threats and increases their chances of intercepting cyber fraud alerts even before they evolve into full-blown incidents.

How IncMan SOAR helps fight anti-fraud

In the battle against cyber fraud, IncMan SOAR has proven time and time again that it can be an indispensable asset. And to show its value in practice, we will take the example of one of the largest banks in Europe.

The bank utilizes IncMan SOAR’s monitoring software to detect any potentially fraudulent transactions that may arise from the external systems. Such transactions include:

  • National Wire Transfers
  • Prepaid Phone Card
  • Prepaid Credit Cards
  • International Wire Transfers
  • Credit Cards

In the event of a fraudulent transaction, the anti-fraud analysts will first create a pre-validation in order to verify the legitimacy of the transaction and determine whether or not the alert is a false positive. Furthermore, in order to confirm whether an alert is a real threat or possible false positive, IncMan receives valuable data regarding these transactions from the RAKE API and stores them into its TRIAGE function.

After IncMan SOAR receives the data regarding the nature of the transaction, it uses its TRIAGE capability to store and utilize that data. The data is then sent to IncMan automatically from the Fraud Management System’s API. IncMan then analyzes the data and uses it to perform enrichment of the potentially fraudulent transaction via its R3 Rapid Response Runbooks. Analysts then read this information, and upon analyzing all of the data they decide whether a transaction is fraudulent and should be converted into an incident. This is done with the goal of preventing these transactions to be converted into incidents if there is no actual need of converting them into incidents.

After reviewing all the evidence gathered, the transaction can be closed as a false positive or converted into an incident, according to the bank’s policies. If needed, a closed transaction can be reopened for additional processing. When a transaction is converted into an incident, all the enrichment actions that have already been performed will be visible inside the incident along with their results, and the team members will then process the new incident in accordance with the bank’s policies.

All actions performed to a suspected transaction and an incident, and any user activity is automatically captured and stored into IncMan’s audit trail. Finally, specific reporting capabilities are created within IncMan which are related to the processing of these transactions to analyze the results.

Furthermore, IncMan SOAR allows the bank to conduct this process continuously, as during working hours IncMan is operated by internal users, and in non-working hours IncMan is operated by external contractors.

Using IncMan’s SOAR unique features for preventing cyber fraud

IncMan SOAR allows users to customize their workflow and adjust it in different ways in order to enhance their user experience. In this case, the bank used different colors to map out the processes in a more visually accessible manner. This allowed the bank to create a visual representation which helped the team coordinate better:

  • White: still to be processed
  • Purple: assigned to a user
  • Green: assigned to a group

This creates a visual cue that leads to fewer errors amongst the team. Any owner of a transaction can re-route it to a different user or team if necessary.

When a user takes ownership of a transaction, an IncMan Rapid Response Runbook is executed. And, depending on the type of transaction in hand, the Runbook contains the appropriate enrichment actions. Different Runbooks are defined for the varying transaction types. The information resulting from all the enrichment actions executed by the Runbooks are stored within the transaction and are available to the analysts. The actions typically involve accessing the information on the Mainframe and other external systems.


In this use case, we elaborated on the benefits of IncMan SOAR depicted properly in a real-life example. We explained how the bank utilizes IncMan SOAR as an effective technology toward discovering potentially fraudulent transactions and to improve its cyber security posture overall. We showed how IncMan’s flexibility plays a major part in improving the communication between team members, thus allowing the entire process to go smoothly.

In regard to tackling fraudulent transactions, IncMan SOAR offers two very unique capabilities that can greatly enhance the chances of preventing such cyber threats:

  • Open Integration Framework: With the Open Integration Framework (OIF) we want all vendors to integrate bi-directionally with us and everyone to be independent in creating integrations. DFLabs even integrate Mainframes for this particular type of use case.
  • Triage: Triage is a major differentiator that distinguishes DFLabs from the rest. This feature allows users to properly deal with potentially harmful alerts that require a more thorough analysis. Through triage, analysts can also decrease the number of false positives by relying on contemporary technology and software, mostly based on automation, machine learning, correlation, and aggregation of events.

The inevitable reality is that financial institutions are, and will continue to be, lucrative targets for cyber attackers. In this regard, financial institutions must think one step ahead and implement proper technologies, like IncMan SOAR, that will strive not to recover, but to intercept and prevent fraudulent transactions from ever happening.

Download our eBook "The Most Comprehensive eBook on SOAR Use Cases," and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo