ORGANIZATION AND AUTOMATION OF INCIDENT INVESTIGATION AND RESPONSE PROCESSES USING SIEM

Abstract

This article discussed how to organize and automate incident investigation and response processes using SIEM systems. These days, security operations centers (SOCs) face numerous challenges and problems that can negatively impact their ability to detect, investigate, and respond to security incidents. Some of the major challenges include the increasing volume and complexity of security alerts, the shortage of qualified cybersecurity professionals, the use of disparate security tools and systems, and the need to comply with various regulatory frameworks. In this research, the authors developed detection rules that address the needs for accuracy and specificity to avoid false positives that can lead to unnecessary alerts and undermine the effectiveness of automated response systems. The proposed detection rules have been thoroughly tested on real security incidents to ensure their reliability and effectiveness. The authors of this study, in their work, proposed playbook development methods and SIEM correlation rules, and developed detection rules that enable automatic incident response, thereby facilitating the work of SOC analysts.