SOAR-EDR Lab

Objective

The objective of the SOAR-EDR Lab project is to establish a robust Security Orchestration, Automation, and Response (SOAR) system integrated with Endpoint Detection and Response (EDR) using Tines and LimaCharlie. This project aims to automate incident response workflows, enhance cybersecurity defenses, and validate detection rules through comprehensive testing and integration.

Skills Learned

🔧 Practical setup and configuration of SOAR and EDR environments.

🤖 Customization and automation of incident response workflows.

🎯 Testing and validation of detection rules and automated responses.

💬 Integration of communication channels (e.g., Slack) for alert notifications.

Tools Used

🛠️ Tines for SOAR automation.

🔍 LimaCharlie for EDR integration and automation.

💬 Slack for communication and alerting.

📊 Telemetry generation tools for simulating attack scenarios.

Link to my YouTube videos

📺 Full Walkthrough

📺 End Result Showcase

Screenshots

Ref 1: Tines Storyboard

Ref 2: Notification to SOC Analyst Prompt

Ref 3: Target machine being isolated by LimaCharlie

Ref 4: Slack notification

Outline

Part 1: Introduction and Project Setup

🌐 Overview of SOAR and EDR concepts.

🔧 Setting up the project environment and prerequisites.

Part 2: Building the Workflow

🛠️ Step-by-step guide on creating and customizing workflows.

🔗 Integrating Tines and LimaCharlie for automated incident response.

Part 3: Generating Telemetry and Creating Detection Rules

📊 Using telemetry generation tools to simulate attack scenarios.

🔍 Creating, testing, and validating detection rules in LimaCharlie.

Part 4: Setting Up Slack and Tines for Automation

💬 Configuring Slack for alert notifications.

🤖 Setting up Tines for automated incident response actions.

Part 5: Final Integration and Testing

🔄 Integrating all components of the SOAR-EDR system.

✔️ Comprehensive testing and validation of the entire system.