SOC Rules Are Meant to Stay Un-Broken: How to Innovate where it Really Matters for SOC Analysts
Encode is an IBM Global Silver Business Partner and regularly employs the QRadar platform to serve its various clients around the globe. At Encode we strive to take a proactive approach and to build custom tools that help Analysts save time, improve performance and focus on what really matters, identifying threats as fast as possible.
In this day and age, Analysts are usually from a generation already born into the digital age, and they are used to platforms that manage the tasks effectively and leave the creative thinking to the human element.
A blur of rules and procedures is not only time-consuming, but as we have seen in some cases in 2019, can serve as an exploitation path for smart hackers that can rely on the extra time provided or on the specific set of actions by Analysts to provide a window of opportunity or to create a smoke screen covering their real attacks, even when the Analysts are aware of the hackers existence and the methodologies and toolsets that they use.
The Rule Explorer App developed by Encode’s Engineers for QRadar allows operators to navigate through rules and building blocks, view test conditions, rule actions, and responses; as well as test conditions of referenced building blocks all in one single view. It offers quick and easy navigation between rules/building blocks and the rules/building blocks referenced in the test conditions. This is useful for troubleshooting issues with the Custom Rule Engine and understanding complicated rules in QRadar.
Why we created Rule Explorer in 2017
Efficient use of QRadar is based heavily on reading Rules and Building Blocks. The relations and references between the Rules and Building Blocks are not always easy to understand without methodic breakdown, especially if troubleshooting or debugging is involved.
We also learned from all our SOC and MSS activities that documentation is key, and in QRadar specifically for the applied Ruleset for Security Analysts.
The improvements we bring to Rule Explorer in 2020
Rules have other relations and decencies apart from other Rules and Building Blocks. These are: Custom Properties, Reference Data, QIDS, Categories, and Dispatched Events. The new and enhanced version of Rule Explorer addresses and visualizes these relations, with performance visualization, highlighting of relationships between the rest of the content and Custom Properties, Reference Data and Log sources.
This sort of initiative is of exemplar pride for our engineers as it provides a concrete and measurable solution to real pains in the day to day activities of SOC analysts, providing immediate impact and meets our ultimate goal of improving the defenses of our customers.
Sometimes what you need to do is to take the machines and assets you have and make sure they are properly maintained and oiled, and that they are updated with the latest tools and technologies.