SOAR comprises the Case Management and Orchestration & Automation applications.
- Case management team. People involved with case management, also called incident response. This includes managing the case or incident team, responding to assigned tasks, monitoring cases, performing statistical analysis, and so on. The case management team uses the Case Management application.
- System administrator. User who configures and maintains the administrative part of the Orchestration & Automation application. This is mainly an IT-type administrator who is responsible for managing users and their permissions and creating groups and roles.
- Playbook designer. User who designs, implements, and maintains the flow of responses to cases and incidents. This includes rules, conditions, workflows, incident/case layouts, and so on. An advanced playbook designer is knowledgeable with the Python language and can write scripts to aid in advanced incident response. In addition, this person can deploy and manage extensions to the application.
- App developer. If your organization has a license for Orchestration & Automation, this is the user who creates apps to access and return external data, interact or integrate with other security systems, or act as a utility that performs a specific action.
A single user can perform multiple roles, but for the purposes of this guide, the roles are treated as separate. If your organization does not install the license for Orchestration & Automation, you can use the Case Management application to manage cases, but many of the features of security orchestration, automation and response are not available.