In this paper we aim to develop a proof of concept framework as a step-by-step process for identifying what type of information and log types a SOC analyst needs to analyze and handle an alarm based on the alarms MITRE technique. To solve this, it was decided that using both theoretical and experimental research methodologies could be advantageous. Hence we first used a Systematic Literature Review to search, screen, and select relevant literature. Followed by the usage of Design Science Research method for conducting the research based upon a theoretical basis, and an experimental process. To develop a framework consisting of an easy to understand and independent step-by-step process.
The proof of concept framework introduced in this paper, is an eight step process describing how one may proceed when gathering data needed for automating information gathering based on alarms MITRE techniques. In these eight steps it revolves around three main concepts, which are gathering a theoretical foundation by research and discussion, improving the theoretical foundation by testing and adjusting, and ends with a continuous process of maintaining the constructed automations when used in a production setting. This framework produced accurate results when tested during research, and we believe it should be further explored and tested in a larger scale. Also it should be considered a stepping stone into further automating the whole alarm handling process, from gathering data to response
