Welcome to part 2 of our series on machine learning use cases within Demisto! You can read part 1 here.
In part 1, we saw how machine learning helps enhance responder productivity by suggesting incident owners and experts who can join the investigation to offer their specific expertise. We also learned how SOC efficiency and investigation quality increase when Demisto suggests commonly used security commands in the War Room, enabling analysts to always choose the leanest and most effective actions.
In this blog, we shall look at how machine learning helps responders visualize related incidents, simplify playbook development, and easily extract duplicates.
Use Case 4: Visualizing Related Incidents
The speed and intensity at which incidents crop up in the SOC frequently leads to analyst myopia. While concentrating on the incident at hand, analysts fail to connect it to the bigger picture and draw patterns with similar incidents that have already occurred on the system. This results in redundant rework for response processes that are already stored – but untapped – in the platform.
Machine Learning Solution
For each Demisto incident, the Related Incidents section presents a visual time-based map of similar incidents that have occurred on the system. Demisto studies the incidents’ data and indicator details, identifies patterns and similarities, and visualizes that data in actionable form.
Fig 1: Demisto correlates indicator and incident data to present a real-time radial map of related incidents for each case
Rather than reduce MTTR or alert fatigue – which are standard SOAR benefits – the Related Incidents feature goes a step further and increases analysts’ investigative capabilities by providing them with visual tools to better understand the broader picture of the SOC and how incidents are related across a host of factors.
Use Case 5: Simplifying Playbook Task Creation
After playbooks make the initial journey from paper (or the analysts’ minds) onto SOAR platforms, they facilitate automated response but may not undergo any further measurement and review. Unless analysts capture better knowledge from elsewhere and feed it into the platform, the benefits of these playbooks plateau after a period of time.
Machine Learning Solution
Demisto not only facilitates creation of custom playbook tasks, but also uses machine learning to accelerate conception of verifiably relevant tasks. While creating playbook tasks and selecting inputs, analysts can see suggestions for arguments and parameters that fit best with those inputs. Demisto goes through all existing playbook tasks (both out-of-box and within customer environments) and studies frequency of task parameters to identify commonly used arguments.
Fig 2: Demisto digs across playbook tasks to study commonly used automation arguments and recommends these inputs during the creation of new playbook tasks
Rather than stopping at alert fatigue reduction and quicker incident triage, Demisto playbooks use ML to always traverse the path of improvement through more efficient tasks. This helps tackle the eventual stagnation in efficacy of static playbooks and certifies that even playbooks go to digital gyms to get leaner!
High alert numbers usually lead to a high occurrence of duplicates as well. However, due to varying attack vectors, different target endpoints, or subtle morphing, these incidents register independently on the SOC’s SIEM or SOAR platform. This leads to tiresome, repetitive work for the analysts as they pick out duplicate incidents, playing a soul-sapping game of spotting needle in malicious haystacks.
Machine Learning Solution
Demisto users can avail an out-of-the-box automation to generate a list of duplicate incidents, either as a playbook task or interactively in the War Room. Demisto’s machine learning studies both pre-defined data and customer environments, looks for similar labels, email labels (relevant for phishing incidents), incident occurrence times, and common indicators to generate this list.
Fig 3: Demisto studies both pre-defined data and customer environments to look for similar labels, email labels, incident occurrence time, and common indicators to generate a duplicate incidents list
Easy identification and documentation of duplicate incidents eliminates huge chunks of menial work for analysts, freeing them to concentrate on more critical problem-solving and high-quality tasks.
For Demisto, automation is just one of many means to an end: an attack-proof SOC. By harmonizing actions across products, managing incidents within the platform, collaborating in real-time, and learning from all the data at your disposal, you can truly extract the greatest value for your SOC.
Staying true to the ‘learning’ half of machine learning, Demisto is always searching for new avenues to leverage its ML base and advance a platform that gets smarter with each incident, in turn making the SOC smarter as well.
If you’d like to see Demisto in action, we invite you to sign up for our Free Community Edition.