Skip to main content
Lantern Home
 
Splunk Lantern

SOAR Maturity Journey

  1. Last updated
  2. Save as PDF

 

Status

Contining through Q2 not as an initiative but as part of the Content Competition to get the use cases as shown in this table.

Overview

Build out the SOAR maturity journey on Lantern.

Value

During the FY24 Tech Summit main stage sessions, Splunk executives mentioned the need to offer our customers "prescriptive guidance" many times. That is the mission of Lantern. In addition, the company is shifting back to a security-first approach, so it makes sense for Lantern to focus this quarter on a security journey, over an observability one. A SOAR maturity journey on Lantern will help: 

  • Customers self-serve to know where they are in the journey and progress further (i.e. adopt Splunk SOAR further), thereby decreasing risk of customer churn.
  • Splunkers easily point their SOAR customers to useful content. 

Scope

In scope

  • Content audit
  • Base journey content development
  • Obtaining validation of how existing content fits into the journey
  • Identifying contributors to write missing content

Out of scope

  • N/A

Milestones

March 10: Milestone 1

All "consulted" meetings complete and understanding of buy-in/participation.

March 24: Milestone 2

Framework built in Lantern and audit of content needs complete.

April 21: Milestone 3

Content complete and journey published.

Note that it is still TBD whether the journey can be published piecemeal (without all corresponding action-oriented articles) as we have done with the Use Case Explorers, or whether it should be released all at once.

April 28: Milestone 4

Promotional campaigns designed, approved, and ready for launch the following week.

Risks

  • Need to understand if/how new Mission Control release and de-emphasis on SOAR for case management effects the maturity journey at all.
  • Might not be able to get all necessary articles in Q1. Might push to Q2 as part of our first incentive program.

Maintenance/Governance Plan

  • All articles will be governed by normal Content Maintenance. 
  • A special plan is needed with SOAR PMs so that Lanterns is kept up-to-date with any journey changes.

Stakeholders

Name RACI Description
Jennifer Swallow R, A Primarily responsible for all work
Dane Disimino I Author of blog and white paper on this topic, but Dane is now working on Mission Control instead.
Coty Sugg R Taking the place of Dane.
Drew Church C Did Tech Summit presentation
John Dominguez C Splunk Technical Marketing for Security
Justin Bull and Chris Hankins C Potential help classifying articles along the maturity spectrum
Kaye Chapman C Consulted on changes to Lantern to fit in this journey

Resources

Description Link
Original blog with link to white paper

https://www.splunk.com/en_us/blog/se...ity-model.html 
Interface for progress visibility https://airtable.com/appNgRcaTuHgdxg...q6vSfsYYY66ASa 
Tech Summit presentations https://drive.google.com/drive/folde..._j0XQwyhRTdUPH

Meeting Notes

Meeting Date Attendees Notes
March 1 Jennifer, Kaye Reviewed project plan
March 20 Jennifer, Dilip (EDU), John D, Coty S, Jeffrey W

John D is really only focused on SOAR from an IT perspective. May be something to pursue later this year. Coty and Jeffrey both committed to helping review and finding people to add content as needed. They are working with some marketing people on more content we might be able to leverage. 

Note that the SOAR GitHub repos are not well synced with the Security Research site. We should link to GitHub as source of truth.
     

Existing SOAR articles I haven't linked to:

Appendix

The following is the text of the white paper for ease of reuse.

Reactive and highly manual

The end goal of stage one is to help you automate the most basic, repetitive tasks by using the apps and playbooks mentioned in stage one. The main value of this stage is the ability to scale and work faster.

Action orientation

  • Alert investigation/triage
  • Initial blocking/quarantining
  • System reimage through corporate ticket management
  • Basic enrichment

Common use cases

  • Splunk notable enrichment
  • Critical investigation review
  • Ticketing system integration
  • Email investigation
  • External alert enrichment

Common SOAR applications

  • SOAR export
  • SOAR HTTP app
  • Splunk app
  • Ticketing apps
  • Reputation/intelligence
  • Email
  • Endpoint
  • Identity
  • Cloud

Common SOAR playbooks

  • Customer and host information
  • Reputation playbook for observables
  • Endpoint alert enrichment
  • Ticket creation and update
  • Cloud resource management
  • Reassign event, set status and other basic case management automation

Reactive / Proactive

The end goal of stage two is to reduce tribal knowledge and automate non-analysis tasks. The value of this stage is standardizing and introducing consistency to your operations, and conducting more accurate root cause analysis.

Action orientation

  • Triage/enrichment
  • Basic investigations
  • Basic response tasks
  • Email search and manual purge

Common use cases

  • Phased custom investigations
  • Advanced response tasks
  • Phishing response
  • Threat intelligence management
  • Vulnerability management
  • Zero Trust policy enforcement
  • Reverse malware analysis

Common SOAR apps

  • PCAP apps
  • Vulnerability apps
  • Identity apps
  • Threat intelligence apps
  • Forensic apps

Common SOAR playbooks

  • Customer and host information
  • Reputation playbook for observables
  • Endpoint alert enrichment
  • Ticket creation and update
  • Cloud resource management
  • Reassign event, set status and other basic case management automation

Detection processes/Splunk ES integration

  • Critical/high alert review and some medium alerts
  • Enterprise Security Content Updates (ESCU)
  • Risk-Based Alerting

Mostly proactive

The end goal of stage three is to use advanced playbooks to customize your environment. The value of this stage is better customization and consistently automating advanced workflows.

Action orientation

  • Use of countermeasures
  • Advanced investigations with forensic data
  • More surgical response capabilities
  • Reverse malware engineering
  • Automatic email search and purge

Common use cases

  • Splunk notable enrichment
  • Critical investigation review
  • Ticketing system integration
  • Email investigation
  • External alert enrichment

Common SOAR apps

  • SOAR export
  • SOAR HTTP app
  • splunk app
  • Ticketing apps
  • Reputation/intelligence
  • Email apps
  • Endpoint apps
  • Identity apps
  • Cloud apps

Common SOAR playbooks

  • Input playbooks for above apps
  • Risk alert auto containment playbooks
  • Process termination
  • File removal
  • Reverse malware analysis
  • Dynamic observable analysis
  • Advanced content formatting
  • Dynamic customer interaction
  • Threat intelligence automation
  • Vulnerability management processes

Detection processes/Splunk ES integration

  • Some custom-built detections
  • Enterprise Security Content Updates
  • Risk-Based Alerting

Fully proactive

The end goal of stage four is to use highly customized playbooks that consistently automate advanced workflows. Once this happens, you’re in the top 5% of SOCs.
The main value of this stage is root cause analysis, speed, scale and consistency in your daily operations.

Action orientation

  • Automated countermeasure response
  • Deep forensic capabilities
  • Reverse malware engineering

Common use cases

  • Advanced countermeasures
  • Automated response tasks
  • Integrated threat intelligence
  • Automated observable

Common SOAR apps

  • Custom integrations and apps
  • Needs full development capabilities

Common SOAR playbooks

  • Input playbooks for above apps
  • Custom hunting playbooks
  • End-to-end phishing playbook chain
  • Custom workflows for internal systems
  • Playbooks for quality assurance of the SOC

Detection processes/Splunk ES integration

  • Custom-built detections