Stage 2 of the SOAR Adoption Maturity Model
Characteristics of an organization in the Reactive / Proactive stage
At stage 2, the organization realizes they need additional people and processes. Likely have started to create SOC procedures and structures. Just now starting deep investigations and needs to quickly evaluate risk to the environment, and to block and remove the risk. At various levels of team formation for security engineering, threat hunting, and threat intel team. May have outsourced forensic/malware analysis or full in-house purple teaming. Team starting to capture metrics like mean time to detection (MTTD) and mean time to response (MTTR).
The SOC at this stage might be described as distributed SOC, centralized SOC, or managed SOC. The CISO has separated security operations and security engineering. They might have a small intelligence or compliance team and are likely to have L1- L2 MSSP. A security architect or SOC manager has started to source a few tier-2 SOC analysts and hired a tier-3 SOC analyst to manage incidents and build security operations procedures. Analysts manage critical alerts on a daily basis but can’t keep up with medium and high alerts.
How to advance past this stage
The end goal of stage two is to reduce tribal knowledge and automate non-analysis tasks. The value of this stage is standardizing and introducing consistency to your operations, and conducting more accurate root cause analysis. The focus is on improving the following:
- Triage/enrichment
- Basic investigations
- Basic response tasks
- Email search and manual purge
Common use cases
- Phased custom investigations
- Advanced response tasks
- Phishing response
- Threat intelligence management
- Vulnerability management
- Zero Trust policy enforcement
- Reverse malware analysis
For more Splunk SOAR use cases, see the Security Use Case Library.
Common SOAR applications
- PCAP apps
- Vulnerability apps
- Identity apps
- Threat intelligence apps
- Forensic apps
For more information on Splunk SOAR Connectors and to engage with the developers, see the GitHub repository.
Common SOAR playbooks
- Customer and host information
- AD_LDAP_Entity_Attribute_Lookup
- Attribute_Lookup_Dispatch
- Automated_Enrichment
- Azure_AD_Graph_User_Attribute_Lookup
- azure_new_user_census
- Crowdstrike_OAuth_API_Device_Attribute_Lookup
- ServiceNow_Related_Tickets_Search
- splunk_enterprise_security_tag_assets_and_identities
- Splunk_Notable_Related_Tickets_Search
- Reputation playbook for observables
- Automated_Enrichment
- corelight_investigate_dns_alert
- CrowdStrike_OAuth_API_Dynamic_Analysis
- domain_investigate
- extrahop_detect_data_exfiltration
- greynoise_ip_enrichment
- Identifier_Reputation_Analysis_Dispatch
- ip_enrichment
- ip_investigate_and_report
- lets_encrypt_domain_investigate
- Mission_Control_Identifier_Reputation_Analysis
- PhishTank_URL_Reputation_Analysis
- Splunk_Attack_Analyzer_Dynamic_Analysis
- suspicious_email_domain_enrichment
- symantec_proxysg_unblock_request
- threatquotient_investigate_and_respond
- UrlScan_IO_Dynamic_Analysis
- VirusTotal_v3_Dynamic_Analysis
- VirusTotal_v3_Identifier_Reputation_Analysis
- Endpoint alert enrichment
- crowdstrike_malware_triage
- extrahop_externally_accessible_databases
- gnql_enrichment
- internal_host_ssh_log4j_investigate
- internal_host_splunk_investigate_log4j
- internal_host_winrm_log4j_respond
- macos_ard_enumeration
- macos_root_password_mitigate
- recorded_future_indicator_enrichment
- reinfected_endpoint_check
- ssh_endpoint_investigate
- Splunk_Identifier_Activity_Analysis
- vmworld_wannacry_response
- Windows_Defender_ATP_Identifier_Activity_Analysis
- zscaler_patient_0_parse_email
- Ticket creation and update
- botnet_report_monitor
- compromised_email_containment
- create_ticket
- macos_root_password_mitigate
- Mission_Control_Related_Tickets_Search
- Related_Tickets_Search_Dispatch
- ssh_endpoint_investigate
- symantec_proxysg_unblock_request
- symantec_ioc_data_enhancement
- wannacry_investigate
- zscaler_hunt_and_block_url
- Cloud resource management
- Reassign event, set status and other basic case management automation
- alert_deescalation_for_test_machines
- alert_escalation_for_attacked_executives
- gnql_enrichment
- greynoise_on_poll_set_severity
- greynoise_update_severity_from_ip_reputation
- intelligence_management_enrich_indicators
- Mission_Control_Attribute_Lookup
- Mission_Control_Related_Tickets_Search
- on_poll_classification
- Related_Tickets_Search_Dispatch
- risk_notable_auto_merge
- risk_notable_enrich
- risk_notable_import_data
- risk_notable_investigate
- risk_notable_merge_events
- risk_notable_mitigate
- risk_notable_preprocess
- risk_notable_verdict
- ServiceNow_Related_Tickets_Search
- splunk_enterprise_security_close_investigation
- Splunk_Notable_Related_Tickets_Search
- start_investigation
- update_severity_from_ip_reputation
- wannacry_hunting
- wannacry_investigate
For more Splunk SOAR playbooks, see the GitHub repository.