There are two ways SOC.OS can collect alerts - via an agent installed in your network for on-premise security tools, or directly from APIs for cloud security tools.
Check out the Integrating your Tools section for information on how to get your source systems set up.
For on-premise tooling, security alerts are forwarded over syslog from the alerting systems to the SOC.OS agent; a lightweight executable installed on your IT network that can run on almost any operating system.
Multiple source systems can be sent to a single agent – e.g. firewall IPS/IDS and endpoint protection devices. Once alerts are received by the agent, they are forwarded to the SOC.OS cloud platform.
The installation of the agent takes a matter of minutes, and once configured works autonomously to forward alerts to the SOC.OS cloud platform.
Check out the Installing the SOC.OS Agent section for information on how to get the agent up and running.
Additionally, the SOC.OS cloud platform can be configured with the appropriate credentials to collect alerts directly from the APIs of your cloud-based security tools.
Incoming alert streams do not always contain just alerts - often they are interspersed with additional logging or known false-positive alerts that do not need to be ingested by SOC.OS.
SOC.OS offers the capability to filter out this data, leaving you with just the important stuff.
Once received, the alert data is cleansed, parsed and the MITRE ATT&CK® threat associated with the alert is identified. Alerts are then enriched with threat intelligence data from AbuseIPDB and AlienVault OTX (Open Threat Exchange) as well as your own custom enrichment, providing the analyst with rich and much needed context to enable data driven remediation decisions to be made quickly and effectively.
Within the tool, users have the ability to list critical business assets (e.g. an important web server or email address), such that when an alert contains these assets, it’s not only extremely easy to locate this asset very quickly, but they’re automatically scored higher and moved closer to the top of the priority ranked investigation workbench.
The enriched alerts are then correlated into related groups, or in SOC.OS language clusters, based on a number of rules. This ensures that, for example, alerts targeting the same part of your network with similar threat types would appear in the same cluster, and can be easily examined in one go. Each cluster consists of anywhere between 1 to 5,000 alerts.
SOC.OS normalises how severity is determined across your different source systems by assigning a base score to every incoming alert. A number of different factors can then be applied to boost or suppress the score of the alert. The final score of a cluster is then determined by combining the scores of all the alerts it contains.
These clusters are then ranked so that the ones deemed to require urgent investigation can be found easily on the SOC.OS workbench. Users also have the ability to specify high-importance assets in their network, with clusters containing these assets being moved further up the priority ranking.
Cluster investigation can then be completed entirely through the SOC.OS workbench – the original alerts, 3rd party threat feeds, custom enrichment and in-tool security training tips are all accessible using a single intuitive UI.
The clusters themselves are visualised using a bespoke data visualisation tool in a graphical way, allowing the analyst to understand in one quick glance, the MITRE ATT&CK® threat type, the incident timeline (which can span days, weeks and months) and the entities involved.
Once investigated, a cluster is never closed completely – it is archived and automatically re-opened if a new alert is correlated with this incident. Analysts are then shown the complete history of this cluster, so they immediately gain the insights from the previous investigation.