About cookies on this site Our websites require some cookies to function properly (required). In addition, other cookies may be used with your consent to analyze site usage, improve the user experience and for advertising. For more information, please review your options. By visiting our website, you agree to our processing of information as described in IBM’sprivacy statement. To provide a smooth navigation, your cookie preferences will be shared across the IBM web domains listed here.
Threat Investigator
CCoE researchers are working on developing automatic security incident investigation and response capabilities for modern Security Operation Centers (SOCs). Incident investigation and determination of response consume excessive time and resources from the SOC analysts. Automating this process and providing the analyst with decision support mechanisms allows analysts to spend much less time on each incident, and makes it possible for the SOC team to better handle incidents, despite staff and skill shortages.
Our solution for automatic incident investigation includes several phases that pull data to support the decision making from different security systems such as SIEM, EDR, and others. This is done by correlating the alerts and data, then enriching the data with threat intelligence, asset information, risk, MITRE ATT&CK TTPs and more. The solution then presents analysts with information on the actions that should be done to mitigate the threat.
To accomplish this aggressive research agenda, we employ methods from graph theory, artificial intelligence, and data science. Our work involves understanding and experimenting with security products and platforms, and open source technologies such as STIX, Sigma, and MITRE ATT&CK.
A first version of this work was productized as the Threat Investigator application on IBM Cloud Pak For Security Version 1.6, and we continue to evolve and improve it. Watch the demo here.