SECOPS 12: SOC WMS and Automation

Question 1

WMS

Answer 1

Tags/ID’s, tracks a security event, and tracks the actions to deal with the event

Question 2

Tool to orchestrate & automate IR process

Answer 2

WMS

Question 3

WMS aka

Answer 3

SOAR

Question 4

SOAR stands for

Answer 4

Security Orchestration Automation and Reporting

Question 5

System that performs containment and eradication

Answer 5

WMS

Question 6

Sequential workflow

Answer 6

Flow-chart style. One step to the next

Question 7

State machine

Answer 7

Progress from state to state

Question 8

Rules-Driven

Answer 8

Rules dictate process

Question 9

Guides analysts through the triage and response procedure

Answer 9

Workflow

Question 10

IR lifecycle (4)

Answer 10

Preparation
Detection and Analysis
Containment, Eradication, Recovery
Post incident activity

Question 11

Tier 1 Analyst

Answer 11

Monitors alerts, triages security alerts, Collects data to escalate to Tier 2

Question 12

Tier 2 Analyst

Answer 12

Deep IA by correlating data. Determines affect. Advises on remediation.

Question 13

IR Handler

Answer 13

Manages incident. Executes containment. Comms.

Question 14

Forensics specialists

Answer 14

Gather, analyze data for investigation. Maintains data integrity.

Question 15

Reverse engineering specialist

Answer 15

ID’s TTP’s and IOC’s. Signature writing.

Question 16

RESTful API

Answer 16

Used to send/receive data between tools

Question 17

Command line API’s

Answer 17

Often one off uses between WMS and other systems

Question 18

TAXII

Answer 18

Standardizes automated exchange of threat info.