Skip to main content

SOC Workbooks and Lookups: System and Workflow

Shubham
Cybersecurity Enthusiast

1. System Overview

SOC Analysts often suffer from "Context Failure." A log tells you what happened, but not why it matters. To solve this, the SOC uses two mechanisms:

  1. Lookups (Static Data): Databases that answer "Who is this user?" and "What is this server?"
  2. Workbooks (Process Logic): Standardized checklists that tell the analyst "Do X, then do Y."

Together, they turn raw data into Enriched Intelligence.

2. Lookups: The Context Engine

An alert says User: j.doe accessed Server: 10.10.0.5. Is this bad? You can't know without Lookups.

A. Identity Inventory (The "Who")

A database (often pulled from Active Directory or HR systems like BambooHR) mapping usernames to roles.

  • Scenario: R.Lund (Financial Advisor) accesses financial files.
    • Lookup Result: Normal. He is in the Finance department.
  • Scenario: svc-veeam (Backup Service) logs in interactively.
    • Lookup Result: Suspicious. Service accounts should only run in the background.

B. Asset Inventory (The "What")

A list of every device, its IP, and its function.

  • Scenario: High traffic from 10.10.0.5.
  • Lookup Result: Hostname is HQ-FINFS-02 (Financial File Server).
  • Conclusion: High traffic is expected (file backups).

C. Network Diagrams (The "Where")

Visual maps of the network topology.

  • Key Concept: Segmentation.
  • Example:
    • 10.10.x.x = VPN Subnet (External users).
    • 172.16.15.x = Database Subnet (High Security).
  • Attack Path: If an IP from the VPN subnet tries to scan the Database subnet, the diagram confirms this is a violation of segmentation.

3. Workbooks: The Process Engine

Workbooks (also called Playbooks or Runbooks) are logic trees designed to standardize the Triage process. They remove "guessing" from the equation.

The Standard Workflow

Every workbook generally follows this logic flow (The "3 Phases"):

  1. Phase 1: Ingestion & Ownership

    • Step 1: Assign alert to Self.
    • Step 2: Review Alert Details (Timestamp, Source IP).
  2. Phase 2: Enrichment (Using Lookups)

    • Step 3: Check Identity Inventory (Who is the user?).
    • Step 4: Check Asset Inventory (Is the machine critical?).
    • Step 5: Check Threat Intel (Is the IP malicious?).
  3. Phase 3: Verdict & Action

    • Path A (Benign): If user role matches activity -> Close as False Positive.
    • Path B (Malicious): If activity is unauthorized -> Collect Evidence -> Escalate to L2.

4. Lab Analysis: Workbook Logic

In the provided lab scenarios, you built workbooks for different alert types.

  • Scenario 1: Phishing Email
    • Logic: Check Sender -> Check Attachment -> If malicious, Escalate.
  • Scenario 2: PowerShell Abuse
    • Logic: Check Parent Process (Word vs. Admin Tool) -> Check Command Line -> Escalate.
  • Scenario 3: Failed Logins
    • Logic: Check Asset Value -> Check if specific to one user or many -> Tune Rule if necessary.

5. Operational Reality vs. Theory

  • Stale Data: In the real world, Asset Inventories are rarely 100% accurate. Old servers are forgotten; new laptops aren't registered yet. "Trust but Verify."
  • Workbook Fatigue: If a workbook has 50 steps for a simple alert, analysts will ignore it. Good workbooks are short, modular, and automated (SOAR).
  • Shadow IT: You will often see traffic from devices not in your Asset Inventory. This is "Shadow IT" (Devices users plugged in without asking). It is almost always a security risk.