Characteristics of an organization in the Fully Proactive stage
At stage 4, the organization is fully aware of what they need to do and how to do it.
The SOC at this stage might be described as centralized SOC, coordinated SOC, hierarchical SOC, federated SOC, national SOC, or managed SOC. The CISO has a standard or hybrid SOC. The hybrid SOC has more L3 resources than L2s, and SOC teams build detections with automation and response processes. There is deep use of threat intelligence analysis and forensic triage of all host, network, and account compromises.
What happens at this stage
The end goal of stage four is to use highly customized playbooks that consistently automate advanced workflows. After this happens, the organization is in the top 5% of SOCs. The main value of this stage is root cause analysis, speed, scale, and consistency in daily operations.
Common use cases
- Advanced countermeasures
- Automated response tasks
- Integrated threat intelligence
- Automated observable
For more Splunk SOAR use cases, see the Security Use Case Library.
Common SOAR applications
For more information on Splunk SOAR Connectors and to engage with the developers, see the GitHub repository.
Common SOAR playbooks
- Input playbooks for above apps
- Custom hunting playbooks
- End-to-end phishing playbook chain
- Custom workflows for internal systems
- Playbooks for quality assurance of the SOC