Frequently Asked Questions

Need Some Help?

Below you will find the answers to some of the most popular questions about SOAR best practices, procedures and more.

If you don’t find the answer to the question you are looking for, please do get in touch where a member of the DFLabs team will be able to assist.

Alternatively if you are one of our Community Portal members, why not check out our more advanced FAQ section or ask a member of the community in our open forum.

Automation and Orchestration.

What are the benefits of using automation and orchestration?

Automation and orchestration allows for automatic actions to be triggered such as playbook and runbook events, that can be carried out faster by machine than by a human being. Often these are repetitive basic, time consuming and mundane tasks. This enables a faster incident response time, reducing the overall time to containment or remediation of the threat.

The implementation of automation and orchestration consequently allows security analysts to spend their valuable time working on more advanced and high level threats that need some level of human intervention, or even carrying out threat hunting initiatives before an alert has even been triggered. By utilizing automation and orchestration, not only can processes become more standardized and efficient, it allows for the easy sharing of knowledge and documentation among the team or across teams within the organization, allowing companies to do more with less resource.

How can I benefit from IncMan SOAR's orchestration capabilities?

Orchestration with the IncMan SOAR brings the benefit of advanced security intelligence, with aggregation and correlation of information from hundreds of leading 3rd party security and threat intelligence sources using a continually growing number of certified bidirectional connectors. It can control incident response by applying linear or conditional playbooks that support complex, stateful and conditional logical decision making, combining manual and automatic actions. With automated knowledge sharing using DFLabs Automated Responder Knowledge (ARK) module, maintaining and transferring expertise to manage incidents across stakeholders can happen collaboratively and securely, enabling security managers and CISOs to manage and measure operational performance and risk.

How is automation carried out within IncMan SOAR?

DFLabs uses its R3 Rapid Response Runbooks that are created using a visual editor to support granular, stateful and conditional workflows as needed, to automate incident response activities, such as incident triage, stakeholder notification and data context enrichment. R3 Runbooks fully automate threat containment and other actions by integrating with 3rd party security technologies and enable the automated execution of containment actions, such as disabling a user account, blocking an ongoing network connection or quarantining a process or file. Complemented by our dual-mode action capabilities; fully and semi-automated actions provide security administrators the ability to determine the appropriate amount of automation required at every stage of the response process, with the final decision taken by a human analyst if required.

Security Operations Best Practices.

What is a Security Operations Center (SOC)?

A Security Operations Center (SOC) is a team of security specialists, responsible for monitoring and analyzing an organization’s security threat landscape, while detecting, containing and responding to a growing number of cyber security alerts and incidents within their network. By using a combination of technology solutions, as well as adhering to processes and procedures, they can quickly and correctly identify, report on and eliminate threats, minimizing the impact to the organization. SOCs are usually staffed with a range of security analysts, engineers and managers to ensure security issues are addressed efficiently and effectively upon discovery.

How can an organization take a proactive approach to enable effective incident response?

With the use of Security Orchestration, Automation and Response (SOAR) technology, such as the IncMan SOAR platform, capabilities including automation, orchestration, data enrichment, as well as the availability of collected threat intelligence information from several sources, facilitates and supports incident responders in assessing, investigating and hunting for threats, improving their overall efficiency and effectiveness. Reduced mean time to detection and containment, as well as reduced mean time to resolution, will inevitably help to improve your security operations and incident response processes and tasks.

What is the best way to validate security threats and alerts?

IncMan SOAR cuts down threat investigation and validation times with data enrichment and is able to combine several sources of information from various solutions and technologies, that helps separate the real threats from potential false-positive alerts that are often manually worked and drain limited resources. Automation eliminates some of the extra effort needed to carry out successful incident threat validation, minimizing resolution time, maximizing analyst efficiency, as well as increasing the number of handled incidents.

Standard Operational Procedures.

How do standard operational procedures help to improve incident response?

Standard operational processes and procedures provide guidance, instruction and the necessary information needed to mitigate problems in the most appropriate and resourceful way, conforming to policies or even law-abiding regulations. Well thought out procedures and working instructions provide a method to communicate with the necessary stakeholders and apply consistent practices and standards within an organization, department or team. They can save time and eliminate mistakes, ensure the desired results, reduce training costs, support quality goals, as well as enable knowledge transfer and delegation of work.

Can IncMan SOAR be deployed in any environment?

DFLabs' IncMan SOAR platform can be deployed as a hardware platform or a virtualized environment like VMWARE, while performing high availability and load balancing, multi-tenant architecture, and provides a scalable platform that can work with both NAS and SAN.

What ISO standards does DFLabs support?

DFLabs and its IncMan SOAR platform conform to ISO9001. The CEO and management team at DFLabs are also recognized for their industry experience in the information security field, including contributing to the creation of the industry standards such as ISO27043 and ISO30121.

Incident Response and Management.

What is cyber incident response?

Cyber incident response is the process of exchanging necessary information on a cyber security incident with individuals or organizations responsible for conducting or coordinating remediation to address the cyber security incident.

What is the best way to perform effective incident response event validation?

Available incident threat intelligence helps you to distinguish between real security alerts leading to potential incidents and the false positives. DFLabs patent-pending Automated Responder Knowledge (ARK) module applies automatic machine learning to historical responses to threats for incidents of a similar nature, and recommends relevant playbooks, runbooks and paths of action to manage and mitigate them, therefore expediting validation and incident response times.

It is possible to automatically trigger a chain of events to immediately respond to a security alert or incident?

Simply put, yes. On detection of a new security alert, DFLabs R3 Rapid Response Runbooks fully automate the triage, investigation and containment of incidents using conditional and automated actions that allow workflows to execute a variety of data enrichment, notification, containment and custom actions based on complex, stateful and logical decision making. As more alerts are responded to, over time our Automated Responder Knowledge (ARK) module applies machine learning to historical responses to threats.

Can I integrate IncMan SOAR with separate management applications and solutions?

IncMan SOAR allows you to fuse security intelligence together and enables you to aggregate, correlate and analyze data from hundred of leading 3rd party security and threat intelligence sources. A classic example of this is a ticketing management system that is typically used across all security operations teams. As a new security alert notification comes in, IncMan can trigger a new incident ticket to be created as part of its process, alongside carrying out other automated and predefined containment and remediation actions and tasks. As well as reducing the manual and mundane work of a security analyst in setting up a ticket to start the incident process in the first instance, it speeds up the chain of activities, sometimes eliminating the alert before a security analyst has even seen it.


How can I customize tools recommended by NIST to collect critical threat intelligence?

NIST and industry best practices recommend that SYSLOGS are configured, monitored and collected to add to threat intelligence and capture events that otherwise would go unnoticed.

What procedures should I follow when implementing a new feature or version of an application or tool?

It is highly recommended that you follow your organizations’ specific change management practices, one of which may be to open a change record that will notify all relevant stakeholders of the new change and also enable them to track the success of its implementation. It is important to always have a backup and fall back plan if needed. Ensure that you provide good documentation to operations, contact details, and an instruction list of what to do in case problems or errors should occur, so they know in advance what actions to carry out in order to correct the issue.

How do I select tools and integrations from 3rd party vendors that meet industry best practices, that will be beneficial to me?

First of all do some research and consider the pros and cons of using the tool or application in your specific environment. At the same time you should validate that it offers a good live online support, as well as good maintenance support should you need to utilize it at any time. Ensure the tool adheres to industry best practices and any regulatory or legal compliance you need to meet. We would advise you to follow Cybersecurity Integration Standards with 3rd party vendors, especially when it comes to integration to enrich threat intelligence information. TAXII, MISP, REST API, JSON, XML, CSV, PCAP, SNMP, Email, Databases, SYSLOG, WHOIS, PYTHON, Perl PDF, R3, PRISM, etc. would facilitate integration with other third party tools and provide richer intelligence threat information for forensic investigation, analysis and reporting.

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.

See IncMan SOAR in Action.

Request a demo

Award-Winning SOAR Platform

Top 100 in Europe

Best Security Orchestration Automation and Response

Security Automation and Orchestration

Security Orchestration, Automation and Response

Best Continuous Monitoring & Mitigation