Stage 1 of the SOAR Adoption Maturity Model
Characteristics of an organization in the Mostly Reactive and Highly Manual stage
At stage 1, the organization doesn’t have the personnel or processes to support investigations or the organization has very basic processes in place. Employees need assistance to quickly evaluate risk to the environment, and to block and remove the risk.
The SOC at this stage might be described as ad hoc, security as an additional duty, distributed SOC, or managed SOC. The chief information security officer (CISO) has a capable security team that does their own engineering. They have a security architect or SOC manager to manage incidents and build a security ecosystem. The SOC is usually supported by a managed security service provider (MSSP) for level 1-2 alerts and contracts with an incident responder for severe incidents. Analysts struggle with getting through critical alerts. High, medium alerts/notables are not being worked.
How to advance past this stage
The end goal of stage one is to help you automate the most basic, repetitive tasks by using apps and playbooks. The main value of this stage is the ability to scale and work faster on the following processes:
- Alert investigation and triage
- Initial blocking and quarantining
- System reimagining through corporate ticket management
- Basic enrichment
Common use cases
- Splunk notable enrichment
- Critical investigation review
- Ticketing system integration
- Email investigation
- External alert enrichment
For more Splunk SOAR use cases, see the Security Use Case Library.
Common SOAR applications
- Splunk App for SOAR Export
- SOAR HTTP App
- Splunk App for SOAR
- Ticketing apps
- Reputation/intelligence
- Endpoint
- Identity
- Cloud
For more information on Splunk SOAR Connectors and to engage with the developers, see the GitHub repository.
Common SOAR playbooks
- Customer and host information
- Reputation playbook for observables
- Automated_Enrichment
- CrowdStrike_OAuth_API_Dynamic_Analysis
- Identifier_Reputation_Analysis_Dispatch
- PhishTank_URL_Reputation_Analysis
- Splunk_Attack_Analyzer_Dynamic_Analysis
- UrlScan_IO_Dynamic_Analysis
- Threat_Intel_Investigate
- VirusTotal_v3_Dynamic_Analysis
- VirusTotal_v3_Identifier_Reputation_Analysis
- Endpoint alert enrichment
- Ticket creation and update
- Reassign event, set status and other basic case management automation
- For more Splunk SOAR playbooks, see the GitHub repository.