How to ingest security incidents. Phase 1 of your SOAR journey - Keith Reynolds.

In the first episode of a series of three, Keith Reynolds, Sr Advisory Solutions Architect, shares his extensive experience with customers to explain (with in-product demos) how to easily and quickly get started with Security Incident Response, phase 1: Ingestion.

For Security Analysts.

Video contents:

00:01 Introductions.

01:22 Reminder: the maturity framework.

02:04 The 4 steps of security incident management: today focus on ingestion.

03:22 Sources and technologies available. Thrive to automate as much as possible.

04:39 Manual entry sources, human involvement needed for ad-hoc incidents. Forms, catalog. Easy. This will always be needed, but overall effort will be lowered over time thanks to automation.

08:15 Catalog items. Security request.

11:15 Email parsers. Email parsing rule.

15:46 ServiceNow API. API explorer. Evaluate API calls.

17:35 Integration hub. When there is no suitable application in the Store. Develop yourself.

19:15 Direct Integrations. ServiceNow Store. Simple, very scalable, supported. 50+ integrations available. https://store.servicenow.com/sn_appst...

22:08 Gold standard SIEM integrations. Simple, effective. Preferred method. Example of Splunk Enterprise Security.

29:08 What to do next: Review how to automate all that can be. Talk to your account team to see what is on the roadmap. Stay tuned for episode 2 on automation. Ask the community.

30:05 Conclusions: Subscribe to the forum. Attend the roadmap presentations.

Download the PDF file of the slides below.