Skip to main content
Splunk Lantern の記事が日本語で利用できるようになりました。.
Splunk Lantern

Stage 2 of the SOAR Adoption Maturity Model



Characteristics of an organization in the Reactive / Proactive stage

At stage 2, the organization realizes they need additional people and processes. Likely have started to create SOC procedures and structures. Just now starting deep investigations and needs to quickly evaluate risk to the environment, and to block and remove the risk. At various levels of team formation for security engineering, threat hunting, and threat intel team. May have outsourced forensic/malware analysis or full in-house purple teaming. Team starting to capture metrics like mean time to detection (MTTD) and mean time to response (MTTR).

The SOC at this stage might be described as distributed SOC, centralized SOC, or managed SOC. The CISO has separated security operations and security engineering. They might have a small intelligence or compliance team and are likely to have L1- L2 MSSP. A security architect or SOC manager has started to source a few tier-2 SOC analysts and hired a tier-3 SOC analyst to manage incidents and build security operations procedures. Analysts manage critical alerts on a daily basis but can’t keep up with medium and high alerts.

How to advance past this stage

The end goal of stage two is to reduce tribal knowledge and automate non-analysis tasks. The value of this stage is standardizing and introducing consistency to your operations, and conducting more accurate root cause analysis. The focus is on improving the following:

  • Triage/enrichment
  • Basic investigations
  • Basic response tasks
  • Email search and manual purge

Common use cases

For more Splunk SOAR use cases, see the Security Use Case Library.

Common SOAR applications

For more information on Splunk SOAR Connectors and to engage with the developers, see the GitHub repository.

Common SOAR playbooks

For more Splunk SOAR playbooks, see the GitHub repository.