We build a good SOC on top of a good data harvesting foundation.
After data is harvested, it is cleaned and transformed before it is used for analytics. SOC workflows, threat hunting, and response will not be effective without this foundation.
Within Simply Data, we have harvested from common data sources such as Active Directory and multiple Gartner leader vendors. These data parsing, most of the time, is already available by default in many SIEM solution. However, there are also “uncommon” vendors such as Sangfor, Hillstone, McAfee (now Trellix), and SonicWALL. For these vendors, we have already customized our own data parsing pipelines for our production customers.
Speaking of workflows, all SIEM alerts triggered from logs harvested should be mapped according to MITRE. Inline with this, as much as possible, all alerts needs to have an investigation guide for a streamlined workflow. When workflow is standardized, then we can make use of automation (either using SOAR or custom built scripts) to automate responses. Admittedly, this is easily said than done, but it is the golden standard that we strive for as a security engineer.
View our 5-minutes demo session here: