Skip to main content
Splunk Lantern

Stage 3 of the SOAR Adoption Maturity Model



Characteristics of an organization in the Mostly Proactive stage

At stage 3, the organization has mature SOC procedures and processes. Evaluates threats with triage and investigation capabilities and/or has outsourced capability for deep forensics. At various levels of team formation for security engineering, threat hunting, forensic/malware analysis, threat intelligence and more. The team is starting to leverage metrics for operational improvement and uses standard incident response methodologies. Conducts a lessons learned analysis.

The SOC at this stage might be described as centralized SOC, federated SOC, or managed SOC. The CISO has a capable security team with a security architect who runs engineering and a SOC manager who has standardized security practices with documented processes and some automation. The CISO has hired an incident response team manager to build out a computer security incident response team (CSIRT) with forensics, threat hunting, intelligence, and purple team capabilities. The CISO wants to source L2 and has all L3 in-house or might create a larger L3/CSIRT team and smaller SOC team.

How to advance past this stage

The end goal of stage three is to use advanced playbooks to customize your environment. The value of this stage is better customization and consistent automation of advanced workflows, such as the following:

  • Deploying countermeasures
  • Advanced investigations with forensic data
  • More surgical response capabilities
  • Reverse malware engineering
  • Automatic email search and purge

Common use cases

  • Splunk notable enrichment
  • Critical investigation review
  • Ticketing system integration
  • Email investigation
  • External alert enrichment

For more Splunk SOAR use cases, see the Security Use Case Library.

Common SOAR applications

For more information on Splunk SOAR Connectors and to engage with the developers, see the GitHub repository.

Common SOAR playbooks

For more Splunk SOAR playbooks, see the GitHub repository.