SOARing Through Incident Management

Back to all articles


Effective incident management starts with an organization’s ability to quickly and accurately triage a potential incident before it can result in a full-blown breach of security or a landslide of false-positive alerts. With event counts increasing and staff sizes shrinking, it is becoming exponentially more important that SecOps teams can quickly identify a real security threat amongst the false positive “noise”.

To make matters worse, today’s security threats are becoming more difficult to identify due to the increasing level of sophistication used in these types of attacks. This increased level of sophistication has led organizations to expand the number of security tools in their arsenal, only adding to the ongoing alert fatigue experienced by security operations teams.

To overcome these obstacles organizations have begun to adopt automation technologies to help expedite repetitive tasks that consume a huge chunk of an analyst’s time. Of these technologies, Security Orchestration, Automation, and Response platforms offer the most comprehensive solution to help assist security operations teams. Through automation, organizations can orchestrate response efforts on behalf of their security team. This ensures that response processes are handled consistently and only involve human interaction when the event has been deemed worthy of further investigation.

How Security Automation and Orchestration Can Assist SecOps in the Incident Triage Process

To achieve this using a SOAR platform, security teams would create automated runbooks that mimic the triaging process. This process may vary depending on the organization, but here are a few basic components to consider during an incident investigation and how SOAR can take an organization’s incident management processes to new heights:

Data Enrichment

One of the very first tasks an analyst must complete during an investigation is to gather information pertaining to the data found within a specific alert. This step is often the most time consuming due to an analyst’s need to logon to multiple systems, query the data within those systems, and attempt to correlate the findings into a meaningful attack timeline.

Fortunately, this time-consuming process can be automated using a SOAR platform to cut down the amount of time spent from hours to minutes and in some cases seconds. SOAR eliminates the need to authenticate to multiple systems through the use of bi-directional integrations. Using APIs, a SOAR platform can simultaneously issue queries to numerous security and networking tools, gather their responses, and make automated conditional decisions on how to proceed based on the evidence gathered. The automated evidence gathering and decision-making capabilities of a SOAR platform allows this crucial step in the triaging process to be conducted without the need for an analyst to intervene. Taking this step out of the hands of an analyst enables their time to be spent on tasks that require their immediate attention.


Correlation is an important part of the incident triage. During this step, an analyst must take the information gathered throughout the data enrichment phase and link it with additional events that may be connected. By linking this data to additional events an analyst can begin to gain a greater perspective of the activity being observed.

Most organizations will utilize a SIEM platform to perform correlation activities, but unfortunately, even though SIEM platforms are built upon a correlation engine, it will still require an analyst to create the appropriate queries, gather correlated events, and construct an attack timeline.

However, by integrating SOAR with an existing SIEM platform, security teams can develop numerous queries ahead of time and extract incident artifacts from previously executed actions to gather the data necessary to present a complete timeline of events. This includes inspecting information adjacent to the event and analyzing potentially shared keys, such as IP addresses or domain names, across multiple data sources for better visibility.

Threat Intelligence

Once the necessary data has been collected and grouped together an additional step in the triaging process may be to cross-check the information against internal and external threat intelligence feeds. Threat intelligence data has become commonplace in most security programs, but unfortunately if not implemented properly will only contribute to the noise security operations centers face on a day-to-day basis.

Because of this, it is extremely important that security teams practice due diligence before introducing threat intel feeds to their security program. For those teams who have adopted a threat intelligence program, SOAR provides one seamless platform to ingest those feeds and apply them in real-time to incident investigations. This will help provide the context necessary to detect threats earlier, increase the security team’s efficiency, and resolve incidents faster.

Prioritization and Organization

The aggregation of internal and external intelligence data can also be used to prioritize and facilitate collaboration between the security team and other business units within an organization. At the heart of a SOAR platform is its response capabilities. Not only does SOAR allow for automated response actions, such as blocking an IP address or quarantining a host, to be taken on behalf of a security professional, but it also provides a foundation to develop an organization’s response workflow.


By utilizing a SOAR platform to develop a response workflow, security teams can assign certain tasks to specific analysts or outside departments without needing access to multiple systems, assign due dates for those tasks, present a repository to document previous actions and outcomes, and adjust prioritization of an event based on those outcomes. This provides a unified system that can be used across an entire organization to ensure that security incidents handling will happen with the correct level of urgency and all parties responsible for the security of the organization are involved throughout an incident’s investigation.

These are just a few ways in which SOAR can help boost the effectiveness of a security incident response program and expedite the incident triaging process. To find out how SOAR can work for your organization, schedule a demo and see IncMan SOAR today!

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo