Skip to content

SOC Process Framework

Clive Watson edited this page Sep 20, 2021 · 8 revisions

SOC Process Framework

Author: Rin Ure

Summary:

If you are like me, you are probably excited with how fast Azure Sentinel has grown. This means more capabilities, functions and integrations to work with. So with all that power, how do I build a SOC and operationalize my Security Operations to keep up? At long last, there is a new Workbook to help you do just that... I have spent over a decade helping to build SOCs and together at Microsoft my team of GBB's, built a SOC Process Framework Workbook that combines SOC industry standards and best practices and applied them to Azure Sentinel.

Content Link
Main SOC Process Framework Blog https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-workbook/ba-p/2339315
SOC Process Framework Workbook https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/SOCProcessFramework.json
Incident Overview Workbook, author Clive Watson for remediation and watchlist integration https://github.com/Azure/Azure-Sentinel/blob/master/Workbooks/IncidentOverview.json
Watchlist https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv
Get-SOCActions Playbook https://github.com/rinure-msft/Azure-Sentinel/tree/master/Playbooks/Get-SOCActions
Incident Overview (with Remediation) Workbook blog Blog: https://techcommunity.microsoft.com/t5/azure-sentinel/enhanced-azure-sentinel-alert-remediation-in-the-soc-process/ba-p/2452430
SOC Process Framework: Video series https://techcommunity.microsoft.com/t5/azure-sentinel/what-s-new-azure-sentinel-soc-process-framework-8-part-video/ba-p/2662791

Remediations and Actions - setup Instructions

In the [Incident Overview] Workbook, if an Alert has remediation entries, those will be shown (Basic view). Note: not all Alerts have this data. However you can provide your own set of Alerts mapped to the Alert "Title". This enhanced feature, uses a Watchlist which has an alias name of: SocRA (Advanced view). This new enhanced data is then shown in the Incident Overview workbook. This allows you to provide your own set of remediations if required, maybe adding extra steps that your SOC process requires?

WatchList Instructions

You must download the Watchlist file called: SOCAnalystActionsByAlert.csv (https://github.com/Azure/Azure-Sentinel/blob/master/docs/SOCAnalystActionsByAlert.csv)

Name the Watchlist alias as:

SocRA

Note: SocRA is case sensitive, you need an uppercase S, R and A. |