Escalating incidents from detection
An important feature when we are talking about SOAR is the capacity to escalate or automate processes between systems.
We can do this in several ways. We can either automate alerts to receive notifications under certain conditions and take some specific actions according to an IR playbook or we can trigger a new case from a SOC alert.
Emulating suspicious behavior
To emulate suspicious behavior, we are going to create a new Windows user to trigger an alert, and then we will escalate this alert to open an incident case.
First, let's generate a security event related to the creation of a local Windows user from the command line:
- To create the new user, write the following command on the Windows Terminal/PowerShell console:
New-LocalUSer -Name "PamB" -NoPassword
The new user is now created and enabled, as you can see in the following screenshot:
Figure 11.26 – Creation of new...
