SOC Automation with PowerShell Interactive Notebooks
Looking for SOC Automation tools and security operations playbooks that don’t require a SOAR platform? No Problem! What if you could use PowerShell and Markdown to create a standardized and repeatable SOC playbook directly in Microsoft Visual Studio code? Good news, you can! In this video, we’ll show you how!
In this video, Josh Johnson shows us the future of Blue Team and Security Operations Automation by using PowerShell to create an interactive notebook in Visual Studio Code! He demonstrates how to create a simple phishing playbook that shows how analysts could automate common actions for VirusTotal Reputation lookup via the VirusTotal API, DMARC information about the sending domain, and more!
0:00 Introduction
1:13 Motivation for SOC Automation with PowerShell
2:58 What is an interactive notebook?
5:19 .dib vs. .ipynb Notebook Formats
4:53 Using Visual Studio Code for Interactive Notebooks with PowerShell
8:40 Creating a Setup Section for Variables and Input
12:50 Link Analysis - Leveraging the VirusTotal API
15:28 Email Sender analysis with DMARC
16:58 Checking Processes on Infected Systems with Invoke-Command cmdlet
20:10 Adding Analyst Notes and Results to Investigation
21:50 Threat Hunting Campaigns Workflow with Notebooks
Josh Johnson is a SANS Certified Instructor and course author of SEC586: Blue Team Operations: Defensive PowerShell. He has been working in the Information Security industry for over 10 years in varying roles with responsibilities ranging from penetration testing to incident response. Josh was Purple Teaming since before it had a name and used his offensive security skill set to find and pursue his true passion - Blue Team. Since then, he has been helping organizations of all sizes, and in varying industries from healthcare to retail to finance, improve their cyber defense capabilities.
Links:
More about Josh: https://www.sans.org/profiles/josh-johnson
SANS SEC586: https://www.sans.org/sec586
#SOCPlaybooks #SecurityOperationsPlaybooks #SOCAutomation
#PowerShellAutomation #PowerShellforInformationSecurity
#WindowsAutomation #PowerShell #InteractiveNotebooks
#JupyterNotebooks #VisualStudioCodeNotebooks #AutomatingSecurityOperations #VisualStudio