During my day to day, I identified a workload that I was able to fully automate with SOAR playbook.
I have created a SOAR playbook that does the following.
Takes the outbound IP address from incident data as a trigger. In my example, 18.104.22.168.
The playbook automates the following workload.
- Checks WhosthisIP to gather information about this external IP (domain, etc)
- Uses SearchAPI to extract all users that have interacted with this IP (from SIEM). Also extract all the incidents related to the above IP
- Uses SearchAPI to get the number of incidents this user is associated in the last 12 hours
- Sends an email to the required address (completely customisable) with the list of those incidents info (this could be your SOC's email, or analyst's email) and waits for response
- Use IncidentAPI to mark this incident as resolved and Close the Case, when the email gets an response.
This playbook can be nested with other playbooks or you can run it independently. Please be aware that when you run it independently, it will create a case item.
Do try and let me know what you think. Please feel free to modify and add other interesting workflows that can be automated, and share back.