Posts

Security automation typically involves making connections to services - typically APIs both internal (e.g AD) and external (e.g. VirusTotal). Splunk’s SOAR solution has a large library of apps but it’s a pretty common requirement to connect to a service that doesn’t yet have an app. SOAR makes it fairly easy to develop custom apps (connectors), which help abstract away some of the pain points of working with an API - including authentication, pagination, transformation of returned content and error handling....

A SIEM typically collects event data, runs detections, generates alerts and serves as a single pane of glass for security alerts. One of the fundamental types of event to ingest is malware alerts from endpoint antivirus and EDR solutions. Malware alerts may seem dull - no user behaviour analytics, no machine learning, but we very often read incident response reports where an attacker triggered AV/EDR alerts that were completely ignored, before eventually executing a ransomware attack or exfiltrating data....