-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
SOC EPP Alert Processing Summary
12/05/2024 
0 People found this article helpful
10,646 Views
Description
Incident Response Cycle (See Image Below)
- Prepare/Protect (Partner & MSS Support)
- Ensure that all controlling factors to protect the environment are in place, tested, and validated.
- Detect (SOC)
- Identification that an abnormal, suspicious, or malicious activity has occurred.
- Mitigate (SOC)
- Contain and minimize the damage of an incident.
- Investigate (SOC)
- Process to document what happened, scope of the incident and other areas of impact.
- Remediate (Partner)
- (Post threat being eradicated) the goal to get things back the way they should be.
Alert Processing
- All Anti-Virus and EDR events are processed on the endpoint and sent to their respective management portals.
- These events are then sent to the SIEM/SOAR owned by SonicWall Managed Security Services, Inc. as syslogs.
- The SIEM/SOAR leverages automation to identify anomalistic or malicious activities and generate security incidents for the SOC Analyst to process/investigate.
- SOC Analysts will also perform manual investigations (threat hunting) to provide additional scrutiny on potentially malicious or anomalistic activity that cannot be automated. Findings from these investigations will start a manual security incident.
- Every security incident processed by the SOC are investigated to identify the authenticity, timeline, and severity of the incident. Concluding the investigation, the analyst will determine if the event is actionable (partner needs alerted), the correct classification for the event, and take appropriate steps as follows:
- Minor Classification
- Abnormal activities identified on the endpoint that do not meet the analyst’s expectation of typical endpoint activity.
- These alerts have a high ‘false positive’ rating, however, the information is deemed informative for the partner to determine if further investigation is needed.
- Partner will be contacted by email outlining the details of the investigation.
- Major Classification
- Confidence of suspicious, or malicious activity that the partner/customer should be aware of.
- The activity does not show evidence of a compromise, however, notification and further investigation by the partner/customer is recommended.
- Lightly referred to that the ‘Anti-Virus did it’s job and stopped the threat’.
- Partner will be contacted by email outlining the details of the investigation.
- Critical Classification
- There is a high confidence of a compromise occurring within the environment.
- Compromise is lightly defined as a breach or infection.
- If not already automated, the analyst will attempt an isolation of the endpoint(s) .
- Please note that if the machine being isolated is a Domain Controller and is the only DNS resolver for that network, we will not be able to communicate with any of the hosts within that network during the isolation.
- The partner will be notified by a phone call to outline the details of the investigation, response steps taken, and discuss the next steps.
- The Analyst will attempt four calls to the emergency contact number(s) provided in the first hour.
- The Analyst will continue to call once at the top of every hour after the initial hour until contact is made.
- The partner will also receive an email notification outlining the details of the investigation and response steps taken.
- The normal SOC Alert and Emergency Contact email provided will be notified.
- There is a high confidence of a compromise occurring within the environment.
- Minor Classification
An Analogy
Analogies can assist to explain an unfamiliar concept or idea. To better help our partner community understand the methodology behind our alert classifications, we have summarized our alert processing into the following analogy:
Consider our SOC a Fire Department and our Analysts as Fire Fighters
- Minor Classification
- We smell smoke in the area.
- Likely not a fire, however, we will use the information we have to let the homeowner know that something does not seem right.
- Major Classification
- We smell smoke and hear the fire alarms in the house, but do not have direct evidence that a fire is burning.
- We do not want to start dousing the house with water as this could potentially cause more harm than good.
- We need the homeowner to investigate further of what might have caused the smoke as we are.
- Critical Classification
- We smell the smoke, see the smoke, and see the fire.
- We will immediately attempt to put the fire out (mitigation).
- We will not ask for permission to do so, as this could cause more harm and damage.
- We will make contact with the homeowner once we have taken all steps we could to mitigate the issue.
Related Articles
- CrowdStrike (CS): Frequently Asked Questions (FAQs)
- MSS FMM: GMS - Upgrading Firewall Firmware
- Cylance: Protect - Installing Agent: MacOS Big Sur
YES
NO