Preface

Hey everyone! In this book, we will cover the topic of Security Orchestration, Automation, and Response (SOAR). SOAR is one of the main tools in Security Operation Centers (SOCs) as it provides a unique set of features that allows you to perform needed steps from incident creation to incident resolution.

There are four main elements in SOAR that we will focus on:

• Incident management
• Incident investigation
• Automation
• Reporting

We will cover all four elements in the book, starting with an overview of each element, and then showcase what each element looks like in tools such as Microsoft Sentinel, Splunk SOAR, and Google Chronicle SOAR.

As there is a lot of documentation on incident management and investigation from the perspective of incident management frameworks, the second part of the book will focus on automation with hands-on examples using Microsoft Sentinel.

I will provide step-by-step instructions on how to create, test, and utilize automation using Microsoft Sentinel based on personal experience working with Microsoft Sentinel automation, the documentation available, and experience gathered working with many different organizations adapting Microsoft Sentinel, and especially Microsoft Sentinel SOAR.

The reason why we are focusing on SOAR is that it is a growing market, and many organizations are starting to adapt SOAR tools for their day-to-day operations. This can be seen best from the perspective that each Security Information and Event Management (SIEM) vendor has either created its own SOAR solution, bought a SOAR solution and integrated it with its SIEM, or has close cooperation with an independent SOAR vendor.