SOAR Use Case: Threat Hunting in GitHub
As more companies are moving out of physical data centers and into cloud-based solutions, analysts need to develop new ways to analyze these solutions for risks and threats. There are, however, several challenges to doing this effectively:
- Thousands of log entries per day to analyze
- Human analysts are limited in both quantity and availability
- It would take hours to search through a day’s worth of data
- No easy way to retain learned threat intelligence and improve institutional knowledge
Automated threat hunting of AWS CloudTrail logs with Devo SOAR is a powerful and easy method to kick off your threat hunting campaigns by focusing on a smaller subset of important events. Devo SOAR is capable of reducing the noise in the data by identifying smaller subset of riskier entries.
Devo SOAR has developed a playbook to hunt for risks in AWS CloudTrail logs. Our approach breaks up the investigation into 7 parallel investigations that can output the results into two high level buckets (bad/malicious or needs further investigation) based on a scoring model. An event scoring 10 is in the “bad/malicious bucket”, and a score of 1-9 is in the “needs further investigation” bucket, where the higher the score the more likely the event is malicious. Lower scoring events can be filtered out to further avoid alert fatigue.
Automating threat hunting AWS CloudTrail logs with Devo SOAR is powerful, easy, and can help you detect attackers and threats otherwise easily missed in the mountain of data. SOC teams are able to improve their productivity and response times, while minimizing false positives and false negatives.