Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Contact us Visit the contact us page
Chronicle Return to the Chronicle homepage
Security Operations Platform arrow_forward expand_more
Security Operations Platform

Explore the Security Operations Platform for the modern SOC.

Security Operations Platform
Overview Detect, investigate, and respond to cyber threats with speed, scale, and precision.
Detect Detect threats with confidence by storing and analyzing all your security telemetry at Google scale.
Investigate Get faster insights with context and depth of investigation to stay ahead of the latest breaches.
Respond Orchestrate tools, build automation, and collaborate with ease to respond in minutes.
Solutions arrow_forward expand_more
Solutions

Reimagine your security operations with affordable solutions.

Solutions
Mandiant Hunt for Chronicle Uncover hidden attacks with elite threat hunters by your side.
SOC Modernization Protect your organization against modern-day threats.
Cloud detection & response Improve investigation and response to cloud-based threats.
Service providers Attract new customers and keep existing ones coming back.
Chronicle CyberShield Helping Governments Defend Against Modern Threats
Why Chronicle arrow_forward expand_more
Why Chronicle

Rely on a modern approach to threat detection and response.

Why Chronicle
How we’re different Add Google speed, scale and intelligence to your SOC.
Our customers Discover how modern security teams use Chronicle.
Partners arrow_forward expand_more
Partners

We work together with our partners to help our customers protect themselves.

Partners
Overview Through product integrations and security expertise, together we bring more effective solutions to market.
Solutions for Small to Mid-Sized Business Expert resources for organizations with up to 2000 employees
Resources arrow_forward expand_more
Resources

Get to know us better. Find out what we’ve learned, what’s new, and what’s next.

Resources
Blog Get an inside view of the digital security landscape.
Knowledge Base Sortable whitepapers, datasheets, videos, and more.
Community Join security pros sharing SecOps content and best practices
Mandiant Incident Response Visit the Mandiant Incident Response page
Support Visit the Google Cloud Support hub
Careers Browse open positions at Chronicle
IDC Study: Customers cite 407% ROI with Google Chronicle. Learn More IDC Study: Customers cite 407% ROI with Google Chronicle. .
How to kickstart automation for your security operations
Ivan Ninichuck
Solutions Architect, Google Cloud
November 2, 2022
Introduction to the Chronicle Security Operations Suite
Demo webinar
Reserve your seat Reserve your seat

When planning how you are going to move your security operations from manual to automated workflows, you must first understand the mission your organization is setting for your security team, and how it supports business needs.

The relationship among regulatory requirements, market forces and information technologies realities that organizations must contend with all play a role when planning.

A key part of successfully automating a SOC is first having a clear understanding of how the assets being protected fit into achieving this overall mission, and developing metrics around these goals that will measure success along the way.

The first lesson I learned when creating automation use cases was that it required me to work with levels of abstraction other than detection engineering. Typically a detection is designed to target a specific technique, but this can be inefficient when planning automation use cases.

Chronicle SOAR uses triggers that activate a playbook when an alert is ingested. Most playbooks can be designed to handle several different types of alerts per use case. For this reason I prefer to organize my use cases around the specific data source being referenced, or in some cases the tactic. For example I might use EDR telemetry that can be primarily handled through one main playbook considering that many of the enrichment steps and investigation escalation will be the same.

MITRE ATT&CK Data Sources provide an excellent breakdown of what alert types can be grouped together. For example you would have different playbooks to deal with Active Directory alerts versus possible C2 traffic with a malicious domain.

The convenience here is that the data sources have also been mapped with components that correspond to specific sub-techniques. Using this mapping you can even view the alert types that you expect the playbook to deal with.

Google Cloud customers can even utilize the cloud security control mappings that provide a direct link between the key controls needed for a secure environment and the ATT&CK techniques that are likely to be used by adversaries.

These higher levels of abstraction allow you to make generic playbooks that cover multiple alerts but also provide the ability to quickly isolate the attacks to which the playbook is expected to react.

Organize mission-critical procedures

Remember that the importance of a SOC is only going to become a verifiable metric if its core mission is clearly defined. The next step that every team should follow is identify what threats are most likely to affect your most valued assets and business workflows. Many times these will be well-known use cases, such as phishing attempts, anomalous logins, malware detections and other common techniques used by adversaries.

Remember that specific industry threat intel is often worth taking a close look at as well. These key techniques should all have well-defined procedures for triage and investigation, and this is before automation is put in place.

Even if each step is manual, your team will find huge value in perhaps using chart drawing tools to create workflows. Use case architects can then use these same charts to create the playbooks your team needs.

During my time building automation playbooks, I have seen that by having manual processes outlined ahead of attempting automation it accelerates the design process, makes it easier to identify problem areas, and allows the engineering team to improve the workflow to an even greater extent since they have a starting point.

Turn common manual tasks into blocks

The best strategy when building playbooks for Chronicle SOAR is identify workflows that are going to be used across multiple playbooks and put them in blocks. These blocks can be thought of as contained functions that can be reused across multiple use cases. Some of the most common blocks I have designed are related to threat intel enrichment, communication such as email or chat, and ticketing systems that might be involved.

For instance, I can build blocks that contain my VirusTotal and other file analysis integrations and reuse that block across my entire collection of playbooks. Blocks also have a place for inputs, which makes it easy to customize what data will be used inside the block.

I often use these inputs when I am using templates. such as for emails or ticketing systems. For example, a ServiceNow ticket has certain fields that I will set as block inputs. This way I can reuse that same SNOW block and just change the content of the input for that specific ticket.

Consider these final reminders

Remember that the core mission of your SOC will guide what procedures need to be prioritized when automating manual procedures.

The best way to start is to identify these manual procedures by making flow charts, and giving them tags from ATT&CK that correspond to a tactic, technique, or data source. This tagging will make it much easier to keep things organized, and will provide a key metric on how much of your environment has automation involved in its protection.

The use of blocks will make the design process go faster as you move along, but don’t be afraid to move slowly at first. Sometimes, it is better to automate one manual task at a time, even in a SOAR playbook.

Every action that you use has the option to be used manually or automatically, and setting them to manual at the start of your journey will give you control over the final steps to be automated—and provide useful testing.

The next steps of your journey will be to review these playbooks often. Ask yourself questions about bottlenecks in the flow that might be costing your analysts quite a bit of time. Are their ways to further automate common tasks, such as investigation queries that are reused? These next steps in the maturing of your SOAR playbooks are essential as you seek to reach an even higher level of security.

Let’s work together

Ready for Google-speed threat detection and response?

Contact us Visit the contact us page