Red and blue make purple – how to run purple team exercises
Purple teaming, as mentioned in Chapter 1, can be an important exercise in the SOC to test detections. On the other hand, it helps prove the negative or, in general, where risks can be identified. In this section, we’re going to work through some possibilities for using purple team exercises and talk through some common open source tools that can be critically helpful in running successful purple teams.
The first step to setting up a purple team is identifying the purpose and scope. In some cases, the purpose could be to evaluate a new tool such as a SIEM tool or an EDR platform; in other cases, it could be to test the response to a potential incident, train new team members, or prove where your gaps are. This should be planned out in advance of any engagement with a red team engineer, or whoever will be conducting the red team portion of the engagement. The next step would be to determine what tools will...
