VIP Call Girl Jamshedpur Aashi 8250192130 Independent Escort Service Jamshedpur
finalreportsoarnew (1).pdf
1. Bachelor of Technology
(Computer Science and Engineering)
Submitted to
LOVELY PROFESSIONAL UNIVERSITY
PHAGWARA, PUNJAB
Name of student: Firoz Kumar
Registration Number: 11811078
Submitted to: Aseem Kumar
Name of Supervisor: Sami Anand
Designation : HOD
Signature of the student:
From 01/11/21 to till date 28/02/2022
SUBMITTED BY
Securonix
A training report
Submitted in partial fulfillment of the requirements for the award of degree of
2. Securonix India Private Limited.
Corporate Office: “The HUB”, Ground Floor, Sy No. 8&8/2, Ambalipura Village, Varthur Hobli Sarjapura Main Road, Bengaluru – 560 103
Pune : Beta 1 Building, 2nd Floor, Gigaspace IT Park, Viman Nagar, Pune – 41101
Security Intelligence Delivered.
3. Firoz Kumar (11811078)
Signature of the student:
Dated: 02/03/2022
To whom so ever it may concern
I, Firoz Kumar , 11811078 , here by declare that the work done by me on
“SOAR” from Nov 2021 to Feb 2022, under the supervision of Satish
Voleti, SDET Manger , Securonix and Sami Anand (HOD) , Lovely
Professional University, Phagwara, Punjab is a record of original work for
the partial fulfillment of the requirements for the award of the degree,
Bachelors of Technology (Computer Science and Engineering)
4. This report is the overview of my work as Intern at Securonix. This work would not be possible
without the guidance and supervision of people who has helped me throughout my internship.
I would like to thanks my supervisor and team at Securonix who helped me and guided me in
the work. It was a fun and learning experience for me.
I would also like to thanks my mentor at Lovely Professional University for their supervision.
Lastly, I would like to thanks Lovely Professional University for providing me this opportunity
to excel in my career, for the development of my future.
ACKNOWLEDGEMENT
5. LIST OF FIGURES
1 Securonix Logo
2 Securonix a leader in Gartner Magic Quadrant
3 Executives of Securonix
13 KARATE Framework
11 Usability Testing of SOAR Applications
12 API automation
7 Manual Testing
8 Writing Test cases
4 Services by Securonix
5 SNYPR by Securonix
9 Integrations
10 Usage of Integration with Playbooks
6 SOAR
6. LIST OF ABBREVIATIONS
2. UEBA: User and Entity Behavior Analytics
3. SOAR: Security Orchestration Automation and Response
4. NDR: Network Detection and Response
5. SDL: Security Data Lake
6. XDR: Extended Detection and Response
7. AWS: Amazon Web Service
8. PDF: Portable Document File
9. XML: Extensible Markup Language
1. SIEM: Security Information and Event Management
CERTIFICATE
7. 1
,
1.2 COMPANY SOLUTIONS.................................................................................................9
1.3 SECURONIX MISSION AND VALUES……………………………………………….10
1. CHAPTER 1 - INTRODUCTION OF THE COMPANY ……………………………….2
1.1 COMPANY SERVICES………………………………………………………………….7
1.4 MORE INFORMATIONS……………………………………………………………….12
2. CHAPTER 2 - INTRODUCTION OF THE PROJECT UNDERTAKEN……………...…13
2.1 SNYPR.............................................................................................................................13
2.2 SOAR……………………………………………………………………………………14
3. CHAPTER 3- WORK DONE………………………………………………………………22
3.1 PLAYBOOKS INTEGRATIONS TO0LS & FRAMWORK…………………………….23
3.1.2 INTEGRATIONS……………………………………………………………………..28
3.1.1 PLAYBOOKS...............................................................................................................23
3.1.3 API TESTING USING KARATE…………………………………………………….33
4. CHPATER 4 - CONCLUSION……………………………………………….......................34
5 CHAPTER 5 - REFERENCES………………………………………………………,,,……..35
INDEX
8. 2
1. INTRODUCTION OF THE COMPANY
Securonix is a privately held solution provider based in Addison, Texas, USA.
Established in 2007 by a team of experts with information on data security, risk
management and ownership compliant, the company brought its first product to
market in 2011 and has been growing firmly from there. The company currently has
more than 300 employees in North America, EMEA and APJ and a large global
partner network. With a strong focus on building healthy technologies ecosystem,
Securonix offers a large number of integrations with various security solutions as
well maintains strategic partnerships with major consultants and consulting
companies.
1.1 Securonix Logo
As modern corporate networks become less and more integrated, this leaving
them open to new types of complex cyber-attacks, both from external and malicious
characters insiders. Unfortunately, traditional security solutions are no longer
compatible with a very large number of security incidents found, many of which are
false or otherwise it doesn't matter. However, because it is not possible to
differentiate without a wide range (and especially handmade) forensic analysis, even
advanced security analysts can no longer detect and reduce security breach within
the prescribed period. In recent years, this has led to a severe shortage of employees
who have the skills to run Corporate Operations Centers for companies, even for
their own companies their budget. The industry's response to this major problem is
9. 3
next-generation Security Analytics solutions that focus on real-time analysis and
integration of security events across the company network, to find out export stores
and other surprises and thus identified potentially dangerous activities. These
products are affordable eliminate false benefits and provide security analysts with a
small number of possible warnings developed with additional knowledge of the
context of forensic analysis and clearly defined scores. Combined with a high level
of automated workflow and highly improved reporting skills, they are able to
significantly reduce the time required for analysis and reduce cyber threats.
Securonix offers an impressive portfolio of various security statistics products based
on standard. A sub-platform for Security Analytics for data collection, analysis and
visualization details (and more). In our previous look at Executive View, we saw
the Securonix solution as one the most advanced use of the Real-Time Security
Intelligence (RTSI) concept. However, the platform could be based on Big Data
technology and is therefore ubiquitous among other similar solutions, such as is not
intended to be used as a storage solution for long-term security events. In February
2017, the company launched the next generation of SNYPR Security Analytics
Platform, Big Backend data security analytics solution based on Apache Hadoop
and Kafka platforms. New the product removes the limit of long-term storage and
provides customers with an end-to-end solution log management, security
information and event management (SIEM) and user and business conduct statistics
(UEBA) on one platform. The previous generation platform is still available to
customers looking for an analytics solution that complements their existing SIEM
platforms, while SNYPR the platform offers a full-fledged leg of leg and event
management infrastructure.
Securonix provides the Next Generation Security and Information Event
Management (SIEM) solution. As a recognized leader in the SIEM
industry, Securonix helps some of largest organizations globally to detect
sophisticated cyberattacks and rapidly respond to these attacks within minutes. With
the Securonix SNYPR platform, organizations can collect billions of events each
day and analyze them in near real time to detect advanced persistent threats (APTs),
insider threats, privilege account misuses and online fraud. Securonix pioneered the
User and Entity Behavior Analytics (UEBA) market and holds patents in the use of
10. 4
behavioural algorithms to detect malicious activities. The Securonix SNYPR
platform is built on big data Hadoop technologies and is infinitely scalable. Our
platform is used by some of the largest organizations in the financial, healthcare,
pharmaceutical, manufacturing, and federal sectors.
1.2 Securonix a leader in Gartner Magic Quadrant
Securonix provides the Next Generation Security and Information Event
Management (SIEM) solution. As a recognized leader in the SIEM industry,
Securonix helps some of largest organizations globally to detect sophisticated
cyberattacks and rapidly respond to these attacks within minutes. With the
Securonix SNYPR platform, organizations can collect billions of events each day
and analyze them in near real time to detect advanced persistent threats (APTs),
insider threats, privilege account misuses and online fraud. Securonix pioneered the
User and Entity Behavior Analytics (UEBA) market and holds patents in the use of
behavioral algorithms to detect malicious activities. The Securonix SNYPR
platform is built on big data Hadoop technologies and is infinitely scalable. Our
platform is used by some of the largest organizations in the financial, healthcare,
pharmaceutical, manufacturing, and federal sectors.
11. 5
The Securonix platform delivers positive security outcomes with zero infrastructure
to manage. It provides analytics-driven next-generation SIEM, UEBA, and security
data lake capabilities as a pure cloud solution, without compromise. Built on an
open big data platform, Securonix NextGen SIEM provides unlimited scalability
and log management, behavior analytics-based advanced threat detection, and
automated incident response on a single platform. Customers use it to address their
insider threat, cyber threat, cloud security, and application security monitoring
requirements. Securonix UEBA leverages sophisticated machine learning and
behavior analytics to analyze and correlate interactions between users, systems,
applications, IP addresses, and data.
Light, nimble, and quick to deploy, it detects advanced insider threats, cyber threats,
fraud, cloud data compromise, and non-compliance. Built-in automated response
playbooks and customizable case management workflows allow security teams to
respond to threats quickly and accurately. Securonix Security Data Lake is a
massively scalable, fault-tolerant, open data platform that ingests massive amounts
of data per day and supports reliable, economical, long term data retention.
It transforms raw log data into meaningful security insights using super-enriched
data, blazing fast search, and elegant visualizations to uncover comprehensive,
actionable insights into your organization’s security posture.
SNYPR integrates directly with sources of event information enterprises already
have in place. It ingests limitless volumes of data, normalizes, enriches and
processes data at lightning speed, and then analyzes it in real-time using a
combination of user and entity behavior analytics (UEBA), unsupervised deep
learning and applied threat models to deliver true predictive threat detection.
SNYPR is not only the most sophisticated threat detection capability ever released,
it is also steering the entire industry toward a big data analytics approach to
enterprise security.
12. 6
1.3 Executives of Securonix
“SNYPR completely revolutionizes how enterprise organizations discover and
manage cyber threats, and we are honored that this award from respected journalists
recognizes our significant innovation,” said Tanuj Gulati, CTO, Securonix.
“SNYPR delivers a completely new visualization of the enterprise security posture,
harnesses the power of big data and puts actionable intelligence into the hands of
security leaders, enabling them to combat cyber threats and mitigate risk to their
organization with fewer resources and lower costs.”
Securonix is working to radically transform all areas of data security with actionable
security intelligence. Its purpose is to build advanced security analytics technology
mines, enriches, analyzes, scores and visualizes customer data into actionable
intelligence on the highest risk threats from within and outside their environment.
Using signature-less anomaly detection techniques that track users, account and
system behavior, Securonix is able to detect the most advanced data security, insider
threats and fraud attacks automatically and accurately. Globally customers are using
Securonix to address the most basic and complex needs around advanced persistent
threat detection and monitoring, high privileged activity monitoring, enterprise and
web fraud detection, application risk monitoring and access risk management.
13. 7
1.1 COMPANY SERVICES
Securonix offers various services as listed below.
1.4 Services by Securonix
1. Next-Gen Security Information and Event Management (SIEM)
Legacy, signature based SIEMs aren’t effective at detecting advanced
threats. The only way to catch a sophisticated attacker in time is to leverage
advanced analytics within your SIEM. Stay ahead of the attackers by using
technology such as machine learning to give your security team better
insights and less false positives.
Built on big data, Securonix Next-Gen SIEM combines log management;
user and entity behavior analytics (UEBA); and security orchestration,
automation, and response into a complete, end-to-end security operations
platform. It collects massive volumes of data in real time, uses patented
machine learning algorithms to detect advanced threats, and provides
artificial intelligence-based security incident response capabilities for fast
remediation.
2. User and Entity Behavior Analytics (UEBA)
Today, many attacks are specifically built to evade traditional signature-
based defenses, such as file hash matching and malicious domain lists. They
use low and slow tactics, such as dormant or time triggered malware, to
14. 8
infiltrate their targets. The market is flooded with security products that
claim to use advanced analytics or machine learning for better detection and
response. The truth is that all analytics are not created equal.
Securonix UEBA leverages sophisticated machine learning and behavior
analytics to analyze and correlate interactions between users, systems,
applications, IP addresses, and data. Light, nimble, and quick to deploy,
Securonix UEBA detects advanced insider threats, cyber threats, fraud,
cloud data compromise, and non-compliance. Built-in automated response
playbooks and customizable case management workflows allow your
security team to respond to threats quickly, accurately, and efficiently.
3. Security Orchestration Automation and Response (SOAR)
As the attack surface expands, there is a shortage of skilled security
personnel to secure businesses and keep the attackers at bay. Rapid response
is essential to mitigate the risks of cybersecurity threats, but disparate
security tools are cumbersome for security teams to manage, costing time
and effort.
Securonix Security Orchestration, Automation, and Response (SOAR) helps
security operations teams improve their incident response times by providing
automation that adds context and suggesting playbooks and next steps to
guide analysts. SOAR optimizes orchestration by streamlining incident
response with built-in case management, integrations covering over 275
applications, and seamless access to your SIEM, UEBA, and network
detection and response (NDR) solutions in a single pane of glass.
4. Network Detection and Response (NDR)
Network systems have evolved over time. Legacy network protection tools
and firewalls are unable to provide adequate visibility into application traffic
due to factors such as encryption, browser emulation, and advanced evasion
techniques. The traditional methods of detection are labor intensive and
manual, resulting in limited visibility and information overload. Securonix
Network Detection and Response (NDR) gives you the visibility your
security team needs to detect and respond to network-borne threats.
15. 9
Securonix NDR uses analytics powered by machine learning to analyze
network events and alert analysts to anomalies arising from interactions
between users, applications, servers, and network components.
5. Security Data Lake
The SDL, therefore, is a critical component of a next generation SIEM
platform. It provides the scale and storage that enables modern security
solutions. However, some data lake solutions are built on legacy, outdated
technology. One example are data lakes that use relational databases for
storage, which make it impossible for those solutions to deliver the above
capabilities efficiently.
The Securonix Security Data Lake is the core of the Securonix platform,
providing scalability, data security, and searchability. It is a robust, modern
data lake architecture that is fault tolerant, secure, scalable, economical, and
open.
6. Extended Detection and Response (XDR)
Securonix Open XDR provides you with a comprehensive security fabric
that combines the core components required for fast and effective threat
detection and response. Using advanced behavior analytics powered by an
industry-pioneering user and entity behavior analytics (UEBA), Securonix
Open XDR continuously delivers threat detection content aligned to the
MITRE ATT&CK framework. Seamlessly integrated automated response
capabilities, powered by pre-built connectors and playbooks, mitigate
identified threats quickly and efficiently.
1.2 COMPANY SOLUTIONS
Securonix offers various solutions as listed below:
• Application Security
• AWS security monitoring
• Azure security monitoring
16. 10
• Cloud SIEM
• Securonix for Crowdstrike
• Securonix for EMR applications
• Fraud prevention
• Securonix for Healthcare
• Identity analytics and intelligence
• Insider threat
• Securonix for PTC Windchill
• Cloud Security Monitoring
• GCP Security Monitoring
• Office 365 Security Monitoring
• Securonix for Okta
• SAP Security Monitoring[2]
1.3 SECURONIX MISSION AND VALUES
Securonix ongoing mission is to monitor the constantly-shifting threat
landscape, conducting security investigations and developing detection
methods for the latest real-world cyberattacks. It provides advanced security
expertise for the customer’s security operations, including threat hunting and
incident response. It also shares their expertise with the wider community
through Threat Research Reports in order to help you better understand,
detect, and protect yourself against the latest real-world cyberattacks.
Securonix values:
- Customers First: Securonix believe customer’s long-term success is vital
to it long-term success. It collaborates closely with their customers to
understand and provide sustainable value to customer business in order
to ensure both immediate and ongoing success.
17. 11
- Visionary: Securonix is opposed to the status quo — and it is obsessed
with innovating its way forward. That’s what led it to build the first
signature-less user behavior analytics solution and led them to transform
it into a complete security analytics and operations platform to help
organizations detect and respond to advanced threats.
- Collaborative: Securonix believe that no single organization can do it all.
It collaborates with their customers and partners to develop the best in
breed solution to combat advanced threats.
- Pragmatic: Securonix see things as they are. It believes the best way to
build a better security analytics platform is to harness the power of
machine learning on Hadoop. All to deliver unlimited scale, resilience,
and cost-effectiveness as well as the power to predict, detect, and respond
to advanced threats.
- Authoritative: Securonix is writing the rules to deliver on the promise of
next generation SIEM — it has pioneered and is leading the market.[2]
1.4 MORE INFORMATIONS
• Headquarters: Addison, Texas
• Founded in: 2007
• Company Size: 501-1000 employees
• Website: https://www.securonix.com
18. 12
The project undertaken is Spotter Query Parser which translate the query entered
by users in spotter service of Snypr platform.
2.1 SNYPR
SNYPR(TM) is a security analytics platform that transforms Big Data into
actionable security intelligence. It delivers the proven power of Securonix
analytics with the speed, scale, and affordable, long-term storage of Hadoop in
a single, out-of-the box solution.
SNYPR ingests petabytes of data generated in large organizations, processes it
and analyzes it in real-time using a combination of user and entity behavior
analytics (UEBA), unsupervised Deep Learning, and threat modeling to deliver
true predictive threat detection and unprecedented historical investigation
capabilities.
2.1 SNYPR by Securonix
SNYPR runs the Securonix technology and all its features natively on Hadoop
and uses Hadoop both as its distributed security analytics engine and long-term
data retention engine. The more data to be ingested and analyzed, the more
Hadoop nodes to be added, the solution scales horizontally as needed.
SNYPR comes as a prepackaged bundle that includes the latest Securonix 5.0
technology and the Cloudera Enterprise. For enterprises, Snypr is a holistic
enterprise security analytics platform that marries best-of-breed Big Data and
analytics technologies. It detects the most sophisticated advanced persistent
2. INTRODUCTION OF THE PROJECT UNDERTAKEN
19. 13
threats and “low and slow” attacks over extended periods of time. All historical,
security-relevant data is available for investigation.
Securonix SNYPR is the next generation of the company's Security Analytics
Platform, namely the technical basis of the company’s product portfolio.
Advanced security analytics technology designed from scratch to be large,
flexible, and capable of supporting a wide range of data sources across the
business. An important distinction of the Securonix SNYPR platform its
flexibility and extension; provides a wide range of pre-defined threat models and
more than 350 out-of-the-box connectors for identity management and security
data collection tools, access and rights, and duties and infringements arising
from existing company infrastructure.
This allows the product to support almost any data source within the company's
IT infrastructure including networks, devices, applications and cloud services.
For each supported data source, the platform automatically works for relevant
behavior models and statistics. It is also possible to explain custom analysis
models for specific data sources and customer needs. So, the same the platform
is capable of dealing with a wide range of use cases ranging from cyberthreats
and malicious intruders, compliance or fraudulent detection. A large number of
industry-specific business cases can also be supported.
SNYPR's Apache Hadoop- and Kafka-powered backend are the basis of its Big
Data pool that supports large data collection and storage. SNYPR Security Data
Lake is based on open data a model that provides long-term storage of terabytes
of security event data in a traditional way - even data from third-party
applications - that is available for real-time search and analysis at any time.
The only way to deal with this new approach is to increase the hardware
requirements, namely make the first investment in setting up Big Data
infrastructure. Still, it offers customers being able to measure large amounts of
data is much easier and provides more reliability as well instead of saving an
existing log management solution.
The Securonix platform is flexible enough to accommodate retrospective
options, allowing companies to they have limited data requirements and want to
20. 14
maintain their long-term log storage space to choose from a non-Hadoop
backend, with the option to upgrade to later Big Data building. Moving to
SNYPR is specific to existing customers and allows them to store existing data
as well configuration. Both solutions share the same front end, however the new
backend adds several notable one’s development similar to the SPOTTER
search engine, which offers native language, real-time search across a large data
pool.
All information used by the Securonix platform is enhanced with additional
content attributes, which can be automatically downloaded using over 100
defined functions or custom rules. Also, the key functionality is a grant of
ownership - each incoming event is automatically linked to an upcoming ID not
just from corporate user directories, but from other proprietary sources such as
HR programs. Speaking Potential violations of privacy regulations, Securonix
includes a number of privacy enhancements enters the platform, including
encryption and encryption to keep employee details anonymous, geographical
policies, access control by granularity, and a designated privacy officer role,
which are the only ones allowed to disclose the activity involved in a security
incident.
Real-time integration engine in SNYPR is able to bind each security event to a
business within business, be it a user, a device or an organization unit. The basis
for automatic behavior established and maintained for each such business. The
new release offers much better improved behavioral statistics, including 200
new models that threaten integration and analysis security events from users,
devices, apps and other assets and getting better performance over the long term
Attacks on legacy solutions that will not identify you at all. To conduct a forensic
investigation, the remedy includes a special Specialbench Workbench provides
visibility of communication between users, IP addresses, systems, tasks and
more relevant data in the event. Naturally, new data pool technology can greatly
simplify the analyst function by providing real-time access to all security
information collected both in its native format and developed with rich
contextual information. The new native language search engine supports
21. 15
detection and movement between businesses. Each search can be saved as a
dashboard or sent to a variety format. A number of built-in reports and standard
dashboards in recent releases were available extended too.
A number of debugging skills are also used, such as disabling the user account
in Active Directory of the company or blocking the IP of the device in the
company firewall. These activities depend on integration with third-party
security tools, IAM systems, SIEM solutions and other products. Recently,
Securonix has added its own Threat Model Exchange service, which allows
customers access the latest innovations made by the company's research team
and the delivery of new threat models with one. The company also promotes
mass production, by allowing customers to share threatening models and other
information. Naturally, the platform also supports integration with external
threatened intelligence providers.
The Securonix Security Analytics Platform provides truly advanced security
analytics technology collect, analyze and visualize various business and security
information and modify it in practical wisdom. What positions Securonix other
than many other players in this market are platform expansion, a complete set of
out-of-the-box content, and a wide range of connectors and integration with third
party management and security products.
Ability to collect and integrate security events across all IT systems, applications
and even the cloud services, impressive power enrichment capabilities and a
powerful free integration engine customization to ensure that the platform is able
to provide the most complete security analyst incident investigation tools. This
is further enhanced by the built-in privacy controls approved by trade unions in
several countries. Unfortunately, the power to fix the solution works limited
comparisons, relying heavily on custom integration with third-party tools.
With their latest release based on the open and standard Big Data model, the
company has addressed the need for reduction and long-term retention of
companies seeking distribution Solution as an end-to-end solution for log
management, SIEM and Security Analytics. He learned something new backend
22. 16
comes with increased hardware requirements, speaker flexibility allows
Securonix to continue to provide a previous generation solution to customers
who want to complete an existing log the SIEM management platform, at the
same time provides a straightforward approach to development if needed.
Key features of Snypr are:
• Data Enrichment:
All the data ingested by SNYPR is normalized, summarized, and
enriched at time of ingestion with contextually relevant information such as
user, third-party intelligence, and geolocation data.
• Distributed Behavior Analytics:
Leveraging Hadoop’s distributed and scalable nature, SNYPR performs
distributed real-time anomaly detection regardless of the amount of data
coming into the platform.
• Historical Investigation:
With SPOTTER, the investigators can go back in time and understand
who was doing what, when, and why, with all the relevant contextual
information needed to be effective.
• Scalability:
Fully distributed and scalable architecture for data ingestion, processing,
and analytics of petabytes of data with the affordable long-term storage of
Hadoop.
23. 17
• Data Redundancy:
All machine data ingested, processed, and analyzed by SNYPR is
automatically replicated across Hadoop Distributed File System (HDFS)
data nodes to provide fault tolerance.
• Enterprise Management:
With the pre-packaged Cloudera OEM version of SNYPR, use Cloudera
Manager to manage all your Hadoop components from a single pane of glass.
2.2 SOAR
SOAR stands for Security Orchestration, Automation, and Response. SOAR
platforms are a collection of security software solutions and tools for browsing
and collecting data from a variety of sources. SOAR solutions then use a
combination of human and machine learning to analyze this diverse data in
order to comprehend and prioritize incident response actions.
The term is used to describe three software capabilities – threat and
vulnerability management, security incident response and security operations
automation. SOAR allows companies to collect threat-related data from a range
of sources and automate the responses to the threat. The term was originally
coined by Gartner, who also defined the three capabilities. Threat and
vulnerability management (Orchestration) covers technologies that help amend
cyber threats, while security operations automation (Automation) relates to the
technologies that enable automation and orchestration within operations.
24. 18
s
e
s
s
e
e
g
The benefits of SOAR
Many security operations teams are struggling with connecting the noise from
disparate system , resulting in too many error-prone manual processes, and
lacking the highly skilled talent to solve for all of this. The result of this current
way of addressing problems is the increased probability of missing an alert that
matters, wasting time and resources due to manual processes, and slow
response times due to lack of standardized respons capabilities. All resulting
in minimizing the impact of security incidents of all type , maximizing value
of existing security investment , and an overall reduced risk of legal liability
and business downtim To achieve this:
Consolidate process management, technology and expertis
Centralize asset monitorin
Enrich alerts with contextual intelligence
Automate response and perform inline blocking
Security Orchestrator features:
Incident response playbooks
Open plugin framework
Upskill your analysts and accelerate investigations with pre-built courses of
action developed by our Mandiant incident responders
Implement custom incident response workflow automation between your
security appliances
Process automation
Integrate more than 150 third-party tools and data sources for seamless, single-
pane management of your security stack
Case management
Collaborate between analyst and incident response teams by storing correlated
alerts and artifacts in an intuitive case management system. Create role-based
groups and assign granular permissions for enhanced workflow management
25. 19
SIEM and SOAR - Better Together
Streamline Investigations
Securonix helps your team work smarter, not harder. Our integrated SOAR
offering simplifies the analyst experience and streamlines the end-to-end
incident response cycle with a seamless workflow for threat detection,
investigation and response.
Seamlessly incorporate response actions into the SIEM policies without
having to switch screens or tools.
Embedded SOAR:
Automated Playbook Actions:
Playbook Designer:
Remove complexity for analysts with out-of-the-box playbooks that cover the
most common use cases.
Easily build additional use cases to meet your organization’s unique needs.
Playbook output Fromt the SIEM
26. 20
Respond to Threats at Scale
Our unified platform consolidates data-sharing and delivers threat detection and
response in a cloud-native architecture that scales as you grow.
Cloud Native:
Built with a pure, SaaS architecture, security teams can easily add on SOAR as
a seamless extension of our SaaS platform for better ROI and fast time-to-
value.
Integrations:
Scale response actions with orchestrations from best-in-breed tools like EPP,
EDR, next-gen firewalls, and more.
Maximize your Security Operations Investment
Securonix SIEM + SOAR offers simple pricing and gives you access to robust
reporting and dashboards that help you understand and improve the efficiency
of your SOC.
Simplified Licensing:
Experience predictable pricing without hidden costs such as the number of
users or playbooks. Our SOAR is licensed in line with our Next-Gen SIEM
with no additional variables.
27. PlayBook List View Page
Integration Page:
In Integration page user can see the number of integration supported by SOAR
Application.
In list view page user can see the number of created playbook along wtith
different fields like status, tenants, creation time and updation time.
Playbook List View Page
Integrations Page
21
28. 22
3. WORK DONE
In my internship at Securonix for duration of 6 Months from March to
September, I worked on Integrations and now I am working on
Usablity testing service for SOAR. In Integration I tested all of the API
from Postman and also i made use cases from UI as well.
In this project, I created playbooks which are used with connectors, Every
Connectors have some suppprted action and as per of the user need user can
pick any of the supported action ( API) which is used in the action blocks.
There are different types of block that user can use as per of his need.
Other than working on Integration I am also working on automation ,
where i automating the integration api by using KARATE Framework. Usablity
testing is one of the other aspect I am currently working on . With the help of
playbooks user can do his task within a task as per of his test case. There are
more then twently integration that we will be working on and i have completed
the testing of seven integration as of now. Other way of testing is the api
testing from postman that i am also working on .
By making complex playbook user can see his output in debugger and the
output will be in sequential corrosponding to the each blocks. Playbook will get
triggered as soon as violation come from the SNYPR applications, bases upon
the type of violations come similair kind of playbook will get executed and user
will able to see the output of that playbook.
29. 23
Below is the library used for the development of the project.
3.1 PLAYBOOKS, INTEGRATIONS, FRAMEWORKS & TOOLS
3.1.1 PLAYBOOK
Security orchestration, automation, and response (SOAR) solutions help teams
to enhance their security posture and develop efficiency without overlooking
critical security and IT processes. This is achieved with the help of playbooks,
which are a built-in capability of SOAR solutions that carry out various tasks
and workflows based on rules, triggers, and events. Integrating SOAR into an
organization’s security operations center (SOC) can boost the overall security
efficiency and effectiveness by automating tasks, coordinating alerts from
multiple security devices, and providing playbooks for incident response.
SOAR solutions utilize varied playbooks to automate responses to different
kinds of threats without any manual intervention. These playbooks ensure that
the security processes are uniformly executed throughout a company’s SOC.
Sets of rules known as playbooks allow SOAR platforms to automatically take
action when an incident occurs. Using SOAR playbooks, security teams can
handle alerts, create automated responses for different incident types, and
quickly resolve issues, more effectively and consistently. With SOAR
playbooks, security teams can build workflows that require minimal to no
human intervention. These playbooks also facilitate the automated incident
investigation, threat intelligence enrichment, incident actioning such as
blocking of malicious indicators of compromises (IOCs), and automated threat
data dissemination to security tools such as SIEMs, firewalls, threat
intelligence platforms (TIPs), incident response platforms and others.
Why are SOAR Playbooks Needed?
SOAR playbooks enable security teams to expedite and streamline time-
consuming processes. Equipped with capabilities to integrate security tools and
establish seamless customizable workflows
30. 24
these playbooks allow security teams to automate mundane and repetitive tasks
while freeing human analysts for more important tasks dependent on human
intelligence and decision making. Nowadays, modern security playbooks come
with “holdable” features allowing them to integrate human decision making
with automation for highly critical security situations. With considerable
productivity gains and time savings across overall security operations, security
teams can move from overwhelmed to functioning at maximum efficiency in
no time.
Threat Intelligence Automation
Threat intelligence enrichment is an important aspect of any incident or threat
investigation process. This enrichment process eliminates false-positives and
collects actionable intelligence for threat response and other security
operations. SOAR playbooks automatically ingest and normalize indicators of
compromise (IOCs) from external and internal intelligence sources and enrich
the collected IOCs. Following the enrichment process, the playbooks can
automatically score the intel and prioritize the further response steps.
Automated Incident Response
With advanced threat contextualization, analysis, and SOAR playbooks,
security teams can have intel-driven responses to all security threats and
incidents. SOAR playbooks allow security teams to leverage the power of
automation to detect, analyze, enrich, and respond to threats at machine speed.
SOAR playbooks can also be used to block threat indicators (IOCs) on
Firewall, EDR, SIEM, and other tools.
SOAR PLAYBOOK USE CASES
31. 25
Vulnerability Management
SOAR playbooks enable security teams to instantaneously respond to
vulnerabilities by automatically applying or scheduling patches. SOAR
playbooks can also be used to ensure that security teams stay informed about
all the current vulnerabilities and that they successfully evaluate the potential
risk of every vulnerability in order to take appropriate risk mitigation measures.
Improved Threat Hunting
With new vulnerabilities and attacks emerging constantly, threat hunting is
becoming not only a challenge but a priority. Using SOAR playbooks, security
teams can automate threat hunting processes to identify suspicious domains,
malware, and other indicators, accelerating the hunting process and freeing
themselves to tackle critical challenges. With the help of SOAR playbooks,
security teams can move beyond alert fatigue, responding to incidents before
the moment of impact.
Playbook Use case
32. 26
Automated Patching and Remediation
From notifications to remediations of threats, vulnerability management
processes can be orchestrated by integrating SOAR playbooks into a
company’s existing solutions. The playbooks automate actions to scan,
discover patches, validate remediation, and more, addressing critical issues.
Phishing Email Investigations
Phishing has been one of the major attack vectors for data breaches. With
SOAR playbooks, security teams don’t need to manually investigate every
URL, attachment, or dubious request for sensitive information. These initial
tasks can be automated using SOAR playbooks, allowing security teams to
focus on alleviating malicious content and training employees on phishing best
practices.
Malware Containment
With the increasing risk of ransomware, spyware, viruses, and more, security
teams are grappling with a plethora of malicious programs. SOAR playbooks
can automatically investigate and contain malware before they spread and
damage an organization’s network.
Employee Provisioning and Deprovisioning
Every company should be able to quickly and effectively manage user
permissions in order to respond to a wide range of security threats. However, it
is a critical task and most organizations can’t keep up. From provisioning and
deprovisioning users to responding to incidents, SOAR playbooks can put an
end to the burden of manually handling user accounts in diverse use cases.
33. 27
Benefits of SOAR Playbooks
Standardized Processes
SOAR solutions fill in for security analysts and relieve them of monotonous
tasks, and include these tasks in an overall process of handling any incident. A
good SOAR solution incorporates these tasks into playbooks that outlay the
step-by-step incident response.
Streamlined Operations
Every aspect of SOAR playbooks contributes to simplify security operations.
While security orchestration aggregates data influx from multiple sources,
security automation controls low-priority alerts and incidents with the help of
automated playbooks.
Technology and Tools Integration
A SOAR playbook can be integrated into products across various security
technologies such as cloud security, forensics, and malware analysis,
vulnerability and risk management, data enrichment, threat intelligence,
incident response, and endpoint security among others. The integration of these
technologies into a SOAR solution can be seamless.
Playbook output
34. 28
3.1.2 Integrations
Product Integrations (Apps/ Connectors) enable connections with third-party
tools and services that the SNYPR SOAR platform orchestrates and automates
SOC operations. These Integration Action execute through REST APIs,
Webhooks, and other techniques supported by the vendors. Additionally, an
Integration can support bidirectional communication allowing both products to
execute cross-console actions.
Integration categories :
Analytics and SIEM
Authentication
Case Management
Data Enrichment
Threat Intelligence
Database
Endpoint
Forensics and Malware Analysis
IT Services
Messaging
Network Security
Vulnerability Management
Integration Instance
You can configure multiple instances of an Integration, e.g., connect to
different environments. Additionally, if you are an MSSP and have multiple
tenants, you could configure a separate instance for each tenant.
35. 29
Integrations
Integrations Acceptance Criteria
1) Categorization based on the domain & usage.
2) Supported use cases for the Integration.
3) Document supported versions from the vendor
4) Each Integration needs to be tested & certified against All supported
versions.
5) Each Integration should support all possible combinations
6) Each Integration should be able to handle performance at scale.
7) All Integration actions should always include input parameters to be part of
the response
1) CI/ CD pipelines for automated testing. Auto triggering Playbook(s)
2) Publish Integration on the public-facing internet-facing website for
customers to login, authenticate and download.
Each Integration should support its own release train.
8) DevOps
36. 30
Different Integrations
Cylance
CylancePROTECT is an antivirus and application control solution for fixed-
function devices that leverages artificial intelligence to detect and prevent malware
from executing on endpoints in real time.
Virus Total is an online service that analyzes suspicious files and URLs to detect
types of malware and malicious content using antivirus engines and website
scanners. It provides an API that allows users to access the information generated
by VirusTotal.
VirusTotal
virus Total
Cylance
37. 31
Recorded Future
Recorded Future is the world’s largest provider of intelligence for enterprise
security. By combining persistent and pervasive automated data collection and
analytics with human analysis, Recorded Future delivers intelligence that is
timely, accurate, and actionable. In a world of ever-increasing chaos and
uncertainty, Recorded Future empowers organizations with the visibility they
need to identify and detect threats faster; take proactive action to disrupt
adversaries; and protect their people, systems, and assets, so business can be
conducted with confidence. Recorded Future is trusted by more than 1,200
businesses and government organizations around the world.
Jira
Jira Software is part of a family of products designed to help teams of all types
manage work. Originally, Jira was designed as a bug and issue tracker. But
today, Jira has evolved into a powerful work management tool for all kinds of
use cases, from requirements and test case management to agile software
development.
Recorded Future
Jira
38. 32
MSoffice365
Microsoft 365 is the productivity cloud designed to help you pursue your
passion and run your business. More than just apps like Word, Excel,
PowerPoint, Microsoft 365 brings together best-in-class productivity apps with
powerful cloud services, device management, and advanced security in one,
connected experience.
office 365
AWS CloudWatchLogs
CloudWatch collects monitoring and operational data in the form of logs,
metrics, and events, and visualizes it using automated dashboards so you can
get a unified view of your AWS resources, applications, and services that run
on AWS and on premise
AWS Cloudwatch
39. 33
3.1.4 API Testing Using KARATE
CarbonBlack
Carbon Black is a premier endpoint security tool that provides ransomware and
malware protection while facilitating threat hunting and incident response. It
has the same power as the premium tools without the premium price tag.
API is an acronym for Application Programming Interface.
In software application (app) development, API is the middle layer between the
presentation (UI) and the database layer. APIs enable communication and data
exchange from one software system to another.
API testing is a software testing practice that tests the APIs directly — from
their functionality, reliability, performance, to security. Part of integration
testing, API testing effectively validates the logic of the build architecture
within a short amount of time.
KARATE:
Karate is an open-source general-purpose test-automation framework that can
script calls to HTTP end-points and assert that the JSON or XML responses are
as expected. Karate is implemented in Java but test-scripts are written in
Gherkin since Karate was originally an extension of the Cucumber framework.
Karate is built on top of Cucumber, another BDD testing framework, and
shares some of the same concepts. One of these is the use of a Gherkin file,
which describes the tested feature. However, unlike Cucumber, tests aren't
written in Java and are fully described in the Gherkin file.
Carbon Black
40. 34
4. CONCLUSION
The internship at Securonix have been a great learning journey. It helped me a
lot not only in improving my technical skills but also improved my industrial
exposure and cooperate mindset. This internship is teaching me a lot of new
technologies and opportunity to work on a multifaceted project. During the
internship I was mentored by very capable and talented engineers who made me
explore many new technologies and ways of doing things which helped me in
not only writing better code but also maintainable and clear code with proper
code style which is easier to read and understand.
The internship taught me to importance of work discipline and commitment to
my work and completing the work within the deadline and under pressure.
Going forward, I will continue with this internship and work along side with
other engineers at the company and learn and contribute to the product line of
Securonix and learn lots of new things along the way.