Skip to main content
 
 
Splunk Lantern

Stage 1 of the SOAR Adoption Maturity Model

 

clipboard_e6a7643f2f7cc9750887d240e4dc2b16a.png

Characteristics of an organization in the Mostly Reactive and Highly Manual stage

At stage 1, the organization doesn’t have the personnel or processes to support investigations or the organization has very basic processes in place. Employees need assistance to quickly evaluate risk to the environment, and to block and remove the risk.

The SOC at this stage might be described as ad hoc, security as an additional duty, distributed SOC, or managed SOC. The chief information security officer (CISO) has a capable security team that does their own engineering. They have a security architect or SOC manager to manage incidents and build a security ecosystem. The SOC is usually supported by a managed security service provider (MSSP) for level 1-2 alerts and contracts with an incident responder for severe incidents. Analysts struggle with getting through critical alerts. High, medium alerts/notables are not being worked.

How to advance past this stage

The end goal of stage one is to help you automate the most basic, repetitive tasks by using apps and playbooks. The main value of this stage is the ability to scale and work faster on the following processes:

  • Alert investigation and triage
  • Initial blocking and quarantining
  • System reimagining through corporate ticket management
  • Basic enrichment

Common use cases

For more Splunk SOAR use cases, see the Security Use Case Library.

Common SOAR applications

For more information on Splunk SOAR Connectors and to engage with the developers, see the GitHub repository

Common SOAR playbooks

For more Splunk SOAR playbooks, see the GitHub repository.