Understanding SOAR case management features
As a security analyst who works in Splunk SOAR, you know how to analyze events using the investigation page. You also know that you can promote events to a case. Now, you want to understand the basics of managing complex cases so you can work more efficiently and effectively.
Solution
Workbooks
Workbooks coordinate complex activities by multiple users during event analysis or case operations. Different workbooks handle different kinds of situations.
- New workbooks can be added to events or cases at any time, and workbooks can be edited.
- Playbooks can automate the process of identifying an event as a case, promoting it, and assigning the appropriate workbook to a case.
- A workbook consists of one or more phases, each containing one or more tasks.
- Phases and tasks can each have their own service level agreement (SLA) requirements. Owners of cases and tasks will receive notifications when SLAs are exceeded.
- Phases are assumed to be accomplished in order but tasks in a phase have no order.
- Notes can be added for each phase to allow a user to note additional information that they are responsible for.
- Each task is assigned to a user and identifies an action the user must take, has a status, and can have associated actions, files, and notes.
Evidence
- Significant items in a case can be marked as evidence to indicate what data is most important. These appear in the Evidence tab.
- Files, artifacts, action results, other events, and notes can all be marked as evidence in their context menus.
- Playbooks can automate marking evidence.
Reports
- Event report. This provides a detailed summary of current state and history for the event.
- Case report. This is similar to the event report, but provides added details on workbook status.
- Executive summary. This provides an overview of events and status, and it can be scheduled.
Next steps
If you found this article useful and want to advance your skills, Splunk Education offers a 3-hour, instructor-led course on investigating incidents with Splunk SOAR. The hands-on labs in the course will teach you how to:
- start investigations
- work on events
- deal with complex incidents and reporting
Click here for the course catalog where you can read the details about this and other Splunk SOAR courses, as well as register.