-
Book Overview & Buying
-
Table Of Contents
-
Feedback & Rating

Incident Response with Threat Intelligence
By :

An important feature when we are talking about SOAR is the capacity to escalate or automate processes between systems.
We can do this in several ways. We can either automate alerts to receive notifications under certain conditions and take some specific actions according to an IR playbook or we can trigger a new case from a SOC alert.
To emulate suspicious behavior, we are going to create a new Windows user to trigger an alert, and then we will escalate this alert to open an incident case.
First, let's generate a security event related to the creation of a local Windows user from the command line:
New-LocalUSer -Name "PamB" -NoPassword
The new user is now created and enabled, as you can see in the following screenshot:
Figure 11.26 – Creation of new...