How does SOC.OS work?
Security alerts are ingested into SOC.OS via either the on-premise SOC.OS agent or from one of the cloud based sources. The alerts are enriched with further information from 3rd party sources (e.g. Whois information) and the MITRE ATT&CK® threat associated with the alert is identified. The alerts are then correlated into groups or “clusters” based on a number of rules. This ensures that, for example, alerts targeting the same part of your network with similar threat types would appear in the same cluster and can be easily examined in one go.
These clusters are then ranked so that the ones deemed to require urgent investigation can be found easily on the SOC.OS workbench. Users also have the ability to specify high-importance assets in their network, with clusters containing these assets being moved further up the priority ranking. These clusters can then be investigated from the SOC.OS workbench using a bespoke data visualisation tool that illustrates the time evolution of the cyber event.
The SOC.OS dashboard provides a number of graphs and tables to give you a clear overview of your entire network and to aid in the compilation of high-level reports.