Stage 4 of the SOAR Adoption Maturity Model

Characteristics of an organization in the Fully Proactive stage

At stage 4, the organization is fully aware of what they need to do and how to do it.

The SOC at this stage might be described as centralized SOC, coordinated SOC, hierarchical SOC, federated SOC, national SOC, or managed SOC. The CISO has a standard or hybrid SOC. The hybrid SOC has more L3 resources than L2s, and SOC teams build detections with automation and response processes. There is deep use of threat intelligence analysis and forensic triage of all host, network, and account compromises.

What happens at this stage

The end goal of stage four is to use highly customized playbooks that consistently automate advanced workflows. After this happens, the organization is in the top 5% of SOCs. The main value of this stage is root cause analysis, speed, scale, and consistency in daily operations.

Common use cases

Advanced countermeasures
Automated response tasks
Integrated threat intelligence
Automated observable

For more Splunk SOAR use cases, see the Security Use Case Library.

Common SOAR applications

Custom integrations and apps (On-Prem or Cloud)
Needs full development capabilities

For more information on Splunk SOAR Connectors and to engage with the developers, see the GitHub repository.

Common SOAR playbooks

Input playbooks for above apps
Custom hunting playbooks
End-to-end phishing playbook chain
Custom workflows for internal systems
Playbooks for quality assurance of the SOC
- test_connectivity
  For more Splunk SOAR playbooks, see the GitHub repository.
  
  Previous step
  
  Go to Product Tips