What is a SOAR system? SOAR is an acronym for Security Orchestration, Automation, and Response. A SOAR platform consists of a group of security software tools that help organizations streamline, execute, and automate security tasks carried out by people and tools. SOAR solutions automate and coordinate workflows, including various security tools and human tasks. This enables a quicker response to attacks and the overall strengthening of the security posture.
A SOAR platform improves security...
@Chiheb Chebbi,
I hope the below test cases are helpful.
Test 1 - Recon: Password Spraying
Test 2 - Privilege Escalation (windows): Powershell Dropper Attacks
Test 3 - Lateral Movement: PsExec
Test 4 - Privilege Escalation (Linux): Failed Sudo
Test 5 - Malicious Code Execution: Eicar Malware Test File
Some examples
https://drertugrulakbas.medium...
As a rule, a SIEM correlation should:
1) Reduce events by 99.99% - raw events to correlations
2) Impact system performance by <1%
3) Produce Correlated Threats with >35% true positive rate on investigation
- 33% are usually false positives or misconfigurations (not real threats)
- 33% are usually unexplained, root cause not discernable
4) Result in <10% false negatives (missed threats)