Skip to main content
Splunk Lantern

Automation and orchestration


Automation and orchestration is an essential part of developing a more proactive response to threats. With Splunk SOAR, you can streamline your security operations by automating repetitive tasks, investigations, and responses. This results in increased efficiency and productivity within your security team.

What are the benefits of automating incident response?

By building security automation into the incident response process, you let your system monitor, review, and initiate a response, rather than having people monitor your security posture and manually react to events. Incident response teams see hundreds of alerts per day, and if analysts continue to respond to alerts in the same way, they risk alert fatigue. Over time, analysts can become desensitized to alerts which can lead to mistakes when handling ordinary situations or overlooking unusual alerts that need to be reviewed.

Automation via Splunk SOAR helps avoid alert fatigue by using workflow actions, or playbooks, that process the repetitive and ordinary alerts, leaving analysts to handle the most sensitive and unique incidents. Purpose-driven dynamic playbooks allow you to adapt quick, decision-based practices on new incidents and focus on high-level investigations while reducing repetitive investigative tasks.

You can achieve the following benefits through Splunk SOAR automation:

  • Triage alarms more effectively.
  • Respond to critical events faster.
  • Seamlessly integrate your existing security solutions into a more efficient and comprehensive incident response program.
  • Centrally automate retrieval, sharing, and response actions for improved detection, investigation and remediation times.
  • Improve operational efficiency using workflow based context with automated and human-assisted decision making.
  • Extend new insights into threats by leveraging context, data enrichment, and adaptive response.

What are automation and orchestration best practices?

You can become more efficient by programmatically automating steps within incident response processes.

First, identify the remediation pattern to an event or use Splunk Enterprise Security notables, and then codify those items into actionable logic using the visual editor, or through the integrated development environment.

Responders can then execute playbooks to triage, escalate and remediate issues. Over time you can automate more and more steps, and ultimately automatically handle common incidents, freeing up your analysts to focus on critical threats.

You can also use Splunk Security Essentials (SSE) to identify content where there are recommended SOAR playbooks available, and access guidance on how those playbooks can help to address threats through automation.

During an incident, timing matters, and analysts need to zero in on the evidence that leads to resolution. Implementing content-based processes to quickly tap into correlated security incidents and events helps you achieve your mean-time-to-recovery (MTTR) goals.

What automation and orchestration processes can I put in place?    

Splunk recommends following the Prescriptive Adoption Motion: Automation and Orchestration. This guide walks you step-by-step through planning, training, analyzing important considerations, and implementing a SOAR solution in your business. 

These additional resources will help you implement this guidance: