Security orchestration, automation, and response data
Security orchestration, automation, and response (SOAR) data refers to the information generated, processed, and managed by SOAR platforms that coordinate, automate, and streamline security operations workflows. This data includes alerts, incident records, playbook executions, task assignments, enrichment results, evidence collection, and audit trails—enabling faster, more consistent, and documented responses to security threats and events.
The key characteristics of SOAR data include being:
- Workflow-centric: Captures the sequence of automated and manual steps in security incident handling
- Integrative: Aggregates data from multiple security tools (SIEM, EDR, threat intel, ticketing, etc.
- Actionable: Documents decisions, actions, and outcomes for each security event
- Auditable: Provides logs, evidence, and reports for compliance and review
Examples of SOAR data include:
- Alert ingestion records: SIEM alert details captured by SOAR platform
- Incident case data: Incident ticket with status, assignments, and history
- Playbook execution logs: Steps, actions, and outcomes of automated/manual workflows
- Automated response actions: Actions like IP blocking, account disabling, device isolation
- Threat intelligence enrichment results: Results from domain/IP/file reputation checks
- Task assignments and audit trails: Manual tasks and analyst actions with timestamps and notes
- Evidence and artifact collection: Collected logs, artifacts, and related metadata
- Case closure and reporting: Summary of incident resolution and post-action documentation
Add-ons and apps
- Splunk App for SOAR Export
- Splunk App for SOAR
- Splunk IT Service Intelligence Connector for SOAR
- Splunk Attack Analyzer Connector for Splunk SOAR
- IBM QRadar SOAR Add-on for Splunk
- SIRP SOAR Add-On for Splunk
- HYAS Protect for Splunk SOAR Connector
- HYAS Insight for Splunk SOAR Connector
- Recorded Future For Splunk SOAR Connector
- ThreatQuotient Splunk SOAR Connector
- VMware Carbon Black Cloud for Splunk SOAR Connector
- Dataminr Pulse for Splunk SOAR Connector
- CrowdSec for SOAR Connector
- xMatters for SOAR Connector
- GreyNoise for SOAR Connector
- Group-IB Threat Intelligence for SOAR Connector
- Darktrace for Splunk SOAR Connector
- Silent Push App for Splunk SOAR Connector
- Trend Vision One for Splunk SOAR Connector