Using SOAR automation to improve your SOC processes
Security automation can be challenging in large, complex enterprises. You might face organizational roadblocks, policy constraints, or resistance from other system owners when trying to implement automation.
However, many automation steps simply involve investigating previously collected data - which is ideal for searching in Splunk Enterprise. You can automate SPL searches from Splunk SOAR without the red tape of broader enterprise system integrations, since both systems typically sit within the same organizational area.
This guide shares best practices from our largest successful customers, provides automation ideas you might not have considered, and shows you ways to improve your existing automations.
How to best approach Splunk SOAR automation
Click into the following articles to learn how to approach enterprise-level security automation tasks:
How to best develop Splunk SOAR playbooks
This section assumes that you already know how to write SOAR playbooks at a foundational level. If not, see Create playbooks in Splunk SOAR, and then come back to these articles.
Click into any of the following articles to learn how to create new, useful playbooks or improve the ones you already have:
- Container enrichment
- Remote script execution
- Remote command execution
- Leverage lookup tables
- User-focused security investigations
- SPL eval functions
- User-initiated approval of automation
Additional resources
.conf presentations
Now that you have an idea of how you can use SOAR to help with automation, watch the full .conf talks:
- Practical SOAR examples from the field (.conf24) [ recording | slides ]
- Practical SOAR examples from the field: Part 2 (.conf25) [ recording | slides ]
In these talks, you'll get more detail on these best practices and advice on bringing in more SOAR automation to your organization.
GitHub repository
The below GitHub repository contains real playbooks from the field.
- GitHub: MattHyp3 Repository
Splunk Lantern Articles
- Splunk Lantern Article: Understanding playbook types in SOAR
- Splunk Lantern Article: Improving SOAR playbook design
- Splunk Lantern Article: Applying useful SOAR playbook design features
- Splunk Lantern Article: Earning approval for automation activities in your organization

