{\rtf1\ansi\deff0\deflang2057\plain\fs24\fet1
{\fonttbl
{\f0\froman Arial;}
}
{\info
{\createim\yr2022\mo2\dy20\hr1\min15}
}

\paperw11907\paperh16840\margl1800\margr1800\margt1440\margb1440
\slmult0\ltrpar\li0
{\b\fs28
Shuffle categories
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
1. Collect & Distribute
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
2-way Ticket synchronization
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Email management
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Attachments
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Manage senders
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Manage URLs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Encode & Decode URLs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Release a quarantined message
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
EDR to ticket
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Fetch incidents & events
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Quarantine files
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Quarantine host (respond)
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Get host information
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
SIEM to ticket
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
ChatOps
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Threat Intel received
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Domain investigation with LetsEncrypt
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Botnet tracker
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Get running containers
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Assign tickets
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Firewall alerts
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Block/accept policies
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Add addresses and ports to groups
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Support custom URL categories
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Fetch logs for specific address
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
URL filtering
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
IDS/IPS alerts
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Get/Fetch alerts
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Receive alerts real-time
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Get PCAP files
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Get network logs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Manage policies
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Deduplicate information
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Correlate information
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
3. Detect
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Search SIEM (Sigma)
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Network
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Endpoint
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Search EDR (OSQuery)
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Search emails (Phish)
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Check malware
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Check targeted
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Check headers and IOCs
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Search IOCs (ioc-finder)
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Search files (Yara)
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Correlate tickets
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Honeypot access
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
S3 Honeypot
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
SSH Honeypot
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
FTP honeypot
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Network honeypot
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
...
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
rich
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
5. Verify
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Discover vulnerabilities
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Discover assets
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Ensure policies are followed
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Find Inactive users
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Ensure access rights match HR systems
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Ensure onboarding is followed
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Third party apps in SaaS
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Devices used for your cloud account
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Too much access in GCP/Azure/AWS/ other clouds
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Certificate validation
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Monitor new DNS entries for domain with passive DNS
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Monitor and track password dumps
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Monitor for mentions of domain on darknet sites
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Reporting
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Automation time saved
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Automation money saved
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Incident response report
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Department cost
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Monthly reports
}
\par\pard\plain
\slmult0\ltrpar\li800
{\fs24
EDR alerts
}
\par\pard\plain
\slmult0\ltrpar\li800
{\fs24
SIEM alerts
}
\par\pard\plain
\slmult0\ltrpar\li800
{\fs24
Emails quarantined
}
\par\pard\plain
\slmult0\ltrpar\li800
{\fs24
...
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
4. Respond
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Eradicate malware
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Quarantine host(s)
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Trigger scans
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Update indicators (FW, EDR, SIEM...)
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Autoblock activity when threat intel is received
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Lock/Delete/Reset account
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Lock vault
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Increase authentication
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Get policies from assets
}
\par\pard\plain
\slmult0\ltrpar\li200
{\fs24
2. Enrich
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Internal Enrichment
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Users
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Hostnames
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
IPs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Departments
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Role
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Software
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
...
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
External historical Enrichment
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
IPs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
URLs
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Hashes
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Files
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
...
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Realtime
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
File detonation
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
URL detonation
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
PCAP analysis
}
\par\pard\plain
\slmult0\ltrpar\li600
{\fs24
Analyze screenshots
}
\par\pard\plain
\slmult0\ltrpar\li400
{\fs24
Ticketing webhook verification
}
\par\pard\plain
}