IncMan SOAR Use Case: Industrial Security

Back to all articles

The goal of this use case is to demonstrate how IncMan’s integrations and R3 Rapid Response Runbooks quickly alert the security team about potential cyber threats. In this process, SOC operators are enabled to make a fast and well-informed decision regarding a possible threat via automation, or they can choose to manually handle the evaluation of the security alert and related courses of action.


  • Receive alerts regarding suspicious activities or exceeding threshold over industrial systems.
  • Automatically download specific activity logs related to specific industrial machines and store them as evidence.
  • Automatically analyze those logs and extract the host originator of the latest commands sent to the machines.
  • Retrieve information and reputation of the extracted hosts.
  • Inform SOC operators of the threat and allow them to be able to decide what course of action needs to be taken.
  • Contain the incident isolating the host from the network.
  • Recover the state of industrial machines.

Integrations Used

  • Cisco Cyber Vision
  • Cisco Cyber ISE
  • SIEM
  • Alleantia
  • Email notification


Creating an R3 Rapid Response Runbook

The first step is receiving an alert related to the industrial machine status via multiple alerts (email, syslog, or others). In case of a threshold exceeding event or deviation from normal working, a baseline is converted into an alert and sent to IncMan.

Then, IncMan starts with a series of enrichment actions. For instance, it can start by retrieving the latest events related to the industrial machine under analysis from Alleantia. Afterward, those logs are stored inside the incident container created in IncMan. For each log, a subset of information is extracted, and the analysis process starts in order to determine whether some host systems, voluntarily or not, sent commands to the industrial machine. The analysis output contains the host list that interacted with the industrial machine.

The host list is used to query Cisco Cyber Vision in order to extract more information about host like, for example:

  • Whether the host is well-known or new
  • Whether it is present into the network perimeter recently or not
  • Whether the details about Operative System are available or not
  • Whether the host/s have in general have a good or bad reputation

Once this data is automatically collected by IncMan, which would only take a few minutes, the SOC operator responds. Then, IncMan generates a series of User Choices for a specific user, or group of users, asking what the next steps should be.

If the host can be considered as “trusted,” IncMan makes an assessment and analyzes if any escalation is needed or if it is possible to close the incident as a false positive. In addition, the SOC operators are asked if the industrial machine needs to be restarted or if any commands should be sent in order to reactivate the normal operations.

If the host is considered as “not trusted,” an extra enrichment step can be executed, asking the SIEM relevant questions regarding the enrichment phase, such as:

  • Whether the host/s under analysis communicated with other systems
  • If yes, when did the communication take place
  • Whether they have access to the Internet

After those enrichment actions, the user can decide to: isolate the host from the network using a Cisco technology like Cisco ISE or leave this task as a manual intervention to be performed by an authorized operator.

In case the host is recently added to the network, IncMan SOAR can update the SOC operators with the new information collected from the moment the host was added to the network.


Figure 1 – Industrial Security Runbook


Depending on the information received in the alert, SOC operators can determine whether the alert can pass as a false positive or whether it can pose an actual threat to the system. If so, the SOC operators can decide whether they want to manually pursue the remediation phase and choose the course of actions themselves, or whether they want to apply automation to the task in hand.

Either way, IncMan SOAR’s enrichment phase utilizes the extracted information from the Runbook’s actions to create a valid assessment of the alert and provide the SOC operators with the opportunity to single-handedly carry out the rest of the remediation phase by providing them with valuable information regarding the alert, and if the SOC operators deem that the alert doesn’t require human interaction, they apply automation to finalize the remainder of the remediation phase.

Thanks to IncMan’s prompt and thorough enrichment phase, SOC operators can make an accurate decision regarding an alert and carry out the remediation processes in the most effective manner.

Download our eBook "The Most Comprehensive eBook on SOAR Use Cases", and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo