![]() You'll quickly realize that the time saved is totally worth the cost. I advocate providing a list of things that you do that are repetitive and automate those with playbooks. The point of having any SOAR product is to remove human deficiencies which are time and consistency. This, unless your leadership is daft, typically won't happen. The biggest argument against any SOAR product is the FUD around security specialists losing their jerbs due to automation. Results are sent to Phantom and the playbook is configured for internal IP asking for DNS servers outside of the internal or vetted ones to use the playbook in the above example.įor the external DNS servers, those IPs are added to the block/drop list at the firewall via the firewall's API. Splunk gets firewall syslog, searching for src_ip!= src_port=53. Checking firewall for unauthorized DNS requests (firewall only allows internal resolvers to do outbound DNS requests and inbound is locked down to accept inbound DNS from their vetted external resolvers.(Personally, that is a nuclear approach, but it works for them) Phantom Playbook has steps to verify the domain with whois lookup, checks to see user and process that made the request and performs remediation steps - lock user account, terminate process on host machine asking for malicious domain and shuts down the host remotely. Splunk alert sends over DNS query and IP/Hostname (making DNS request) to Phantom. Splunk receives both DNS logs and endpoint EDR logs. Internal DNS server black/sink holes malicious domain requests prior to sending the query to an external resolver. ![]()
0 Comments
Leave a Reply. |