Manage a Remote SOC: Micro-Surveys for Crisis Management

May 12, 2020
3 minutes

How many weeks has it been since lockdown? I have lost count as the weekdays blur into the weekends. But one thing is constant regardless of where you are: the work of a SOC must go on. While some may imagine that security analysts spend all their time investigating incidents for signs of malicious activity, communication tasks also play a vital role in protecting organizations and performing crisis management. The change from working in person to working remotely brings changes in the ways security analysts communicate with end users and share information with each other.

Considering how important communication can be, we know it’s important to include ways to make your communication easier in our series of tips for managing a remote SOC

A part of the work of incident response is collecting data from end users. This can be part of addressing a phishing campaign – you might want to poll end users to see if they clicked on a link or an attachment. Having accurate data on how successful the phishing campaign has been in your organization can help you devote an appropriate level of resources to mitigating it. You may need to communicate with end users as part of a crisis management effort during this time of transition. You may want to know if users have experienced difficulty with connecting to the corporate network so you can address those issues and prevent users from turning to unauthorized devices or networks. The information you gather from users often needs to be shared with others in the SOC.

Did you know that communication tasks can be built into Cortex XSOAR playbooks to send quick micro-surveys to your users for data collection and enrichment? 

Here are a few examples of communication tasks in Cortex XSOAR:


Ask Tasks

These are conditional one-question surveys, the answers to which will determine how the playbook will proceed.

This screenshot shows how you can create Ask Tasks in Cortex XSOAR. These micro-surveys can be used as a crisis management tool when managing a remote SOC.


Data Collection Task

These are more detailed surveys that relevant users can access through a link sent to their email. All responses to the survey are stored in incident context, for example, as part of a phishing incident, enabling you to use the data as inputs for playbook tasks or for analysis in dashboards. These data collection tasks are fully customizable, allowing you to set question formats (short-text, single-select, etc), task type and frequency of sending out the questionnaire. All responses to the survey are stored in incident context, enabling you to reuse the data as inputs for future playbook tasks or track the data in dashboards.

Want to see these tools in action? Watch Rishi Bhargava, vice president, product strategy, explain how we used micro-surveys to monitor employee health status.

If you are new to Cortex XSOAR, we encourage you to take it for a test drive, and feel free to kick the tires while you are at it.  Stay safe, stay healthy – until the next post. 

Sign up for the free Community Edition of Cortex XSOAR today.

We hope you enjoyed learning about using micro-surveys for crisis management in Cortex XSOAR. Watch for more useful tips and hints in the next post in our series on the remote SOC.

The free Cortex XSOAR Community Edition is helping more than 4,000 users accelerate incident response.

Subscribe to the Newsletter!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.