IBM’s inclusion of apps over the past few releases of QRadar has significantly increased the old saying of a ‘a single pane glass view’. Having the ability to view core infrastructure tooling from the SIEM will enable not only SOC analysts but SIEM administrators to view the data which has been sent via these point solutions and then enable the user to view the source of those events.
This blog will focus on the SOCAutomation an app published by Honeycomb Technologies. In short for those who are unaware ‘SOCAutomation delivers advanced automation, orchestration and integration capabilities into your QRadar and SOC Operations ecosystem, including internal and external processes and workflows, security and IT systems.’
Running SOCAutomation alongside QRadar will introduce ‘automation’ to all tier 1 activities. In the most common scenario tier 1 analyst’s spend the majority of their time reviewing external IP’s running threat Intel lookups, nslookup and such against those entities to determine whether they are malicious or benign. SOCAutomation will take the mundane and tedious task and as part of the automation, run these against an extensive list of TI automaters and pull back a high-level summary of which IPs are malicious based on their category.
This extension can be downloaded from IBM’s X-Force Exchange; the filename is SOCAutomation-QRadar_5.14.139.zip.