SOC Automation with PowerShell Interactive Notebooks

SOC Automation with PowerShell Interactive Notebooks

Channel:
United States SANS Cyber Defense
Subscribers:
19,800
Published on ● Video Link: https://www.youtube.com/watch?v=NLyLVb_ZoQE


Duration: 25:28
2,628 views
95

Looking for SOC Automation tools and security operations playbooks that don’t require a SOAR platform? No Problem! What if you could use PowerShell and Markdown to create a standardized and repeatable SOC playbook directly in Microsoft Visual Studio code? Good news, you can! In this video, we’ll show you how!

In this video, Josh Johnson shows us the future of Blue Team and Security Operations Automation by using PowerShell to create an interactive notebook in Visual Studio Code! He demonstrates how to create a simple phishing playbook that shows how analysts could automate common actions for VirusTotal Reputation lookup via the VirusTotal API, DMARC information about the sending domain, and more!

0:00 Introduction
1:13 Motivation for SOC Automation with PowerShell
2:58 What is an interactive notebook?
5:19 .dib vs. .ipynb Notebook Formats
4:53 Using Visual Studio Code for Interactive Notebooks with PowerShell
8:40 Creating a Setup Section for Variables and Input
12:50 Link Analysis - Leveraging the VirusTotal API
15:28 Email Sender analysis with DMARC
16:58 Checking Processes on Infected Systems with Invoke-Command cmdlet
20:10 Adding Analyst Notes and Results to Investigation
21:50 Threat Hunting Campaigns Workflow with Notebooks

Josh Johnson is a SANS Certified Instructor and course author of SEC586: Blue Team Operations: Defensive PowerShell. He has been working in the Information Security industry for over 10 years in varying roles with responsibilities ranging from penetration testing to incident response. Josh was Purple Teaming since before it had a name and used his offensive security skill set to find and pursue his true passion - Blue Team. Since then, he has been helping organizations of all sizes, and in varying industries from healthcare to retail to finance, improve their cyber defense capabilities.

Links:
More about Josh: https://www.sans.org/profiles/josh-johnson
SANS SEC586: https://www.sans.org/sec586

#SOCPlaybooks #SecurityOperationsPlaybooks #SOCAutomation
#PowerShellAutomation #PowerShellforInformationSecurity
#WindowsAutomation #PowerShell #InteractiveNotebooks
#JupyterNotebooks #VisualStudioCodeNotebooks #AutomatingSecurityOperations #VisualStudio



Other Videos By SANS Cyber Defense


2021-10-21Zero Trust Architecture – Applying ZTA in Today’s Environment
2021-10-20A River Runs Through IT: What Whitewater Rafting Taught Me About Incident Response
2021-10-16Network Protocol Classification with Random Forests
2021-10-15Container Monitoring
2021-10-09Applying Machine Learning to Network Anomalies | Part 3
2021-09-18Machine Learning with Zeek and Tensorflow (Part 2): Processing the Data
2021-09-08Key Tactics for Automating Security Operations
2021-09-04Machine Learning with Zeek and Tensorflow (Part 1): Talking to Zeek
2021-08-23SANS Blue Team Summit 2021
2021-08-19TShark - Working with Regular Expressions
2021-08-14SOC Automation with PowerShell Interactive Notebooks
2021-08-13Understanding And Using GIT
2021-08-07Introducing SANS role-based labs
2021-08-05TShark - Exporting Suspicious Content
2021-07-31What Really is Correlation?
2021-07-28Detecting Reconnaissance and Common Application Layer Protocols?
2021-07-28Tips for Conducting OSINT Investigations in the EU with GDPR
2021-07-27Open-Source Intelligence (OSINT) + Security Awareness
2021-07-24Do You Have What It Takes to Become a SANS Instructor?
2021-07-22Intro to packet analysis with TShark
2021-07-10Windows Event Forwarding and Event Collectors In-Depth


Tags:
soc
soc automation
security operations
security operations center
powershell
automation
cybersecurity
josh johnson
interactive notebooks
powershell interactive notebooks
powershell training
cybersecurity training
what is an interactive notebook
.dib
.ipynb
link analysis
email sender analysis
DMARC
invoke-command cmdlet