SOAR systems are crucial in automating responses to network security incidents, such as detecting network scans. Here’s how a SOAR system can enrich and process a network scan alert:
- Alert Enrichment: Upon receiving a basic alert from an IDS/IPS system, the SOAR system automatically enriches this information with additional data. This may include:
- Historical Log Analysis: Examining past logs and events associated with the IP or similar attack patterns to gain historical context.
- Reputation Database Checks: Checking the perpetrator’s IP address in public and private IP reputation databases to determine if it is known from previous attacks or suspicious activities.
- Geolocation Correlation: Associating the IP address with geolocation to understand the geographic context of the attack source.
- Threat Classification and Assessment: Based on the enriched data, the SOAR system analyzes the risk associated with the detected scan:
- Connection Attempt Frequency: Assessing how frequently the suspicious IP tried to establish a connection, which can indicate an automated attack.
- Targeted Services: Identifying which services or ports were targeted by the attack, which can suggest motives and potential objectives of the attacker.
- Response Decisions: Depending on the established risk level, the system can automatically take a series of actions to minimize potential damage, such as:
- Network Firewall Rule Application: Implementing firewall rules that restrict access to key network resources for the identified IP address.
- Security Team Notifications: Informing the security team through automated email or SMS notifications.
- Ongoing Monitoring: For lower-level threats, the SOAR can continue to monitor the IP activity and collect more data before deciding on an intervention.
