QRadar SOAR Playbook Designer makes it easy to build a standard incident response process or set of tasks. Playbook tasks provide analysts guidance on how to complete each task and the order to perform the tasks. Decision points allows the process to be dynamic and branch to include additional tasks or skip unnecessary tasks. During an incident, additional tasks can be manually added by an analyst.

The Qradar SOAR Breach Response module provides analysts with breach-specific tasks, covering over 180 global privacy regulations, to help you meet reporting requirements and avoid hefty fines.

Tasks define actions, and actions can run automation—through integrations—with other tools to accelerate the response process. QRadar SOAR can integrate with more than 300 security solutions. You can simply start by defining the set of tasks and the order of task execution, then automate the most commonly executed actions first.

Automated threat detection and threat hunting provides alerts that need to be reviewed by an analyst. Sending those alerts to QRadar SOAR creates a case and initiates the incident response (IR) process.

Tasks assist the security team to analyze the infected system and analyze network traffic for lateral movement.

Playbooks help create the right set of tasks, which may vary based on the type of incident or source. QRadar SOAR allows you to create playbooks for different types of attacks; the playbooks contain logic to trigger different tasks based on attributes of the attack.

The earlier a SOAR case gets created, the more the automation can help to save time. Tasks can guide new analysts and build case documentation. The archive function can help clean up old cases or false positives, keeping the system clean, but allowing a permanent record that you can always retrieve.

In this phase, an analyst needs to research and determine if the alert is real. Task guidance can use actions to automatically collect the details from multiple, connected tools, gathering all relevant information. The information is added to case data tables, and this starts the incident documentation process.

Enrichment can be as simple as going to an LDAP directory to add the laptop owner to the case or gather all the pertinent details from the alert source (for example, SIEM, EDR, cloud and more). By automating enrichment with playbook actions, analysts can focus on reviewing and confirming the incident or marking it as a false positive.

If any data was lost, completing the breach response questionnaire with the number of affected individuals and their geographies can help determine applicable regulations and the associated response times and reporting tasks.

Time is of the essence during an attack, and automating actions saves time and reduces the learning curve for new analysts.  With over 300 integrations and support for open standards, automating containment actions is the first priority. Once an analyst confirms the incident, actions can run automatically or manually by an analyst. Actions in this phase can take a system offline or stop a process from executing.  Integrations with EDR tools, such as QRadar EDR or Cybereason, can also take an employee's laptop offline.

For IT systems, such as a payroll or human resources, automations can look up system IT and business owners in an asset management tool such as ServiceNow or SAP. Automations can send an email to the owners to tell them the system is infected, and add the owners to the case data table with comments that the owners were notified through email or Slack.

Playbooks can be dynamic, so in the event of a high valued target, such as an executive laptop, time may be critical and playbooks can execute containment actions while the analyst continues to work tasks during the Enrichment and Validate phase. After the details of the attack are confirmed, actions can automate updates to a firewall blocklist by using an EDR integration, which helps prevent lateral movement or reentry, saving analysts time.

During this phase, security teams can facilitate the remaining recovery actions and communicate incident resolution across the team. Analysts can automate actions to create and track requests to IT to reimage machines or restore from backups.

Bidirectional integrations with tools such as ServiceNow allow analysts to create a ticket from QRadar SOAR and monitor progress. ServiceNow can update the case when the ServiceNow ticket is completed. You can also automate actions that request your EDR solution such as QRadar EDR, Carbon Black or SentinelOne, to bring the system back online.

Lessons learned
Reporting summarizes the documentation for each response and action taken. An incident report will summarize for the review to ensure all the proper documentation is part of the case. In the case of a data breach, a review of applicable regulations helps to keep organizations in compliance with the associated reporting timelines.

Analysts review the phases and document any issues that need to be updated to improve incident response in the future. This is when an analyst would document and recommend improvements such as changing the frequency of backups or review the manual tasks added to the case that should be added to the playbook for future incidents.

Reporting helps with understanding where the incident response process can be improved. Security teams can use the QRadar SOAR platform to “Generate Incident Report”. From here, analysts can generate a report on a single incident or on multiple incidents. They can use a standard template to format the report or customize it to meet specific needs.