Developing SOAR (Security Orchestration, Automation, and Response) playbooks can be daunting, especially if it’s your first time using a SOAR platform. The sheer number of design possibilities can make the process feel overwhelming. While vendors might offer out-of-the-box playbooks, these often require significant customization to fit the unique needs of your environment.
At D3 Labs, we’ve honed an artifact-based methodology to simplify playbook development. This approach helps you focus on what’s essential, making the process more manageable and your playbooks more effective.
Start with Integration Commands
Begin by taking inventory of the security tools integrated into your SOAR platform. Each integration comes with its own set of commands that the platform can execute. Some SOAR solutions provide these commands readily, while others might require custom development.
For example, consider integrations with SentinelOne for endpoint protection, Palo Alto Networks for firewall management, and Active Directory for identity services. Each offers specific commands:
SentinelOne Commands:
get_device_info
isolate_device
initiate_scan
kill_process
fetch_threats
Palo Alto Networks Commands:
block_ip_address
unblock_ip_address
get_security_policies
update_address_group
get_active_sessions
Active Directory Commands:
get_user_groups
reset_user_password
disable_user_account
get_login_history
add_user_to_group
These commands are the building blocks of your playbook—the actions you can automate. Starting with a clear understanding of what’s available sets defined boundaries and transforms a potentially overwhelming task into a manageable one.
Organize Commands into Functional Categories
Next, organize these commands into categories that a playbook can assist with during an investigation:
- Enrichment: Gathering additional information to provide context for an alert or incident.
- Containment: Actions aimed at limiting the impact or spread of a threat.
- Recovery: Steps to restore systems and operations to normal after an incident.
- Case Management: Documenting the incident and managing the response workflow.
Example Categorization:
- Enrichment:
SentinelOne.get_device_info
ActiveDirectory.get_user_groups
PaloAlto.get_security_policies
- Containment:
SentinelOne.isolate_device
PaloAlto.block_ip_address
ActiveDirectory.disable_user_account
- Recovery:
SentinelOne.reconnect_device
PaloAlto.unblock_ip_address
ActiveDirectory.enable_user_account
- Case Management:
create_incident_record
update_incident_status
notify_stakeholders
This organization helps structure your playbook logically, ensuring that each phase of the incident response process is adequately addressed.
Identify Key Artifacts
Artifacts are data elements relevant to your security incidents, such as device IDs, user IDs, IP addresses, file hashes, and process names. Identifying which artifacts are pertinent to your environment is crucial. This depends on your detection rules, infrastructure, and the types of threats you commonly encounter.
For instance, important artifacts might include:
- Device ID: Identifiers for affected endpoints.
- User ID: Accounts that may be compromised or involved.
- IP Address: Network addresses associated with suspicious activity.
Using real alert data from your environment can help pinpoint these artifacts.
Map Commands to Artifacts
With your artifacts identified, map them to the integration commands that can process them. This step narrows your focus to commands directly applicable to handling the artifacts in question.
Mapping Example:
- Device ID:
SentinelOne.get_device_info(device_id)
SentinelOne.isolate_device(device_id)
SentinelOne.initiate_scan(device_id)
- User ID:
ActiveDirectory.get_user_groups(user_id)
ActiveDirectory.reset_user_password(user_id)
ActiveDirectory.disable_user_account(user_id)
- IP Address:
PaloAlto.block_ip_address(ip_address)
PaloAlto.unblock_ip_address(ip_address)
PaloAlto.get_active_sessions(ip_address)
By focusing on commands that interact with your key artifacts, you streamline your playbook, making it more efficient and relevant to your specific needs.
Build Playbook Stages
With commands categorized and mapped, you can begin constructing the stages of your playbook.
Stage 1: Enrichment
The enrichment stage automates the collection of additional information, providing valuable context that helps analysts make informed decisions.
Enrichment Actions:
- Active Directory:
get_user_groups(user_id)
to determine the user’s access levels.get_login_history(user_id)
to identify any unusual login activities.get_management_chain(user_id)
to facilitate communication with relevant personnel.
- Palo Alto Networks:
get_security_policies()
to understand current firewall rules.get_active_sessions(ip_address)
to see if the IP is active on the network.get_threat_logs(ip_address)
to retrieve related security events.
- SentinelOne:
get_device_info(device_id)
to gather details about the affected endpoint.list_running_processes(device_id)
to identify suspicious processes.fetch_threats(device_id)
to retrieve known threats associated with the device.
Automating enrichment reduces manual workload and speeds up the response time, allowing your team to focus on analysis and decision-making.
Stage 2: Containment
Containment actions aim to prevent further damage or spread of the threat. Depending on your organization’s policies, these actions might be automated or require approval.
Containment Actions:
- Active Directory:
disable_user_account(user_id)
to prevent unauthorized access.reset_user_password(user_id)
as a security measure.remove_user_from_groups(user_id)
to limit access privileges.
- Palo Alto Networks:
block_ip_address(ip_address)
to stop communication with malicious IPs.update_address_group(ip_address)
to adjust security policies.terminate_sessions(ip_address)
to disconnect ongoing connections.
- SentinelOne:
isolate_device(device_id)
to remove the endpoint from the network.kill_process(device_id, process_name)
to stop malicious activities.quarantine_file(device_id, file_hash)
to isolate harmful files.
Containment steps should be executed carefully to minimize impact on normal operations while effectively neutralizing the threat.
Stage 3: Recovery
Recovery involves restoring systems and operations to their normal state after ensuring the threat has been addressed.
Recovery Actions:
- Active Directory:
enable_user_account(user_id)
after verifying it’s safe.add_user_to_group(user_id)
to restore access levels.notify_user(user_id)
with instructions or updates.
- Palo Alto Networks:
unblock_ip_address(ip_address)
if the block is no longer necessary.restore_security_policies()
to revert any temporary changes.
- SentinelOne:
reconnect_device(device_id)
to bring the endpoint back online.verify_device_status(device_id)
to ensure it’s secure.
Recovery actions should only proceed once you’re confident the threat has been fully contained and eliminated.
Automate Case Management
Effective case management is essential throughout the incident response process. Documenting actions, findings, and communications ensures compliance and aids in future analysis.
Case Management Actions:
create_incident_record(incident_details)
to initiate tracking.update_incident_status(incident_id, status)
to keep records current.attach_evidence(incident_id, data)
to compile relevant information.notify_stakeholders(incident_id, updates)
to keep key personnel informed.
A solid case management process enhances transparency and supports a coordinated response effort.
Wrapping Up: From Artifacts to Customized SOAR Playbooks
Adopting an artifact-based approach simplifies SOAR playbook development and enhances effectiveness. By focusing on the tools and data most relevant to your environment, you create playbooks that are tailored and actionable.
Key Steps Recap:
- Identify Integrations: List the security tools connected to your SOAR platform.
- Catalog Available Commands: Understand the actions you can automate.
- Determine Relevant Artifacts: Focus on the data elements critical to your incidents.
- Map Commands to Artifacts: Align actions with the artifacts they affect.
- Build Playbook Stages: Organize actions into enrichment, containment, recovery, and case management.
This approach reduces the number of relevant tasks for your playbook down to a few logical choices. Then, you can drag-and-drop them into your playbook builder and test them for effectiveness. Read our series below to see this implemented in four parts:
How to Build a Phishing Playbook Part 1
How to Build a Phishing Playbook Part 2