Use cases
The IBM Security Orchestration & Automation application is customizable, and you can tailor it to meet a number of basic use cases.
- Monitoring and escalation. The application allows cases, including relevant data, to be entered by application users or systems integrated with Orchestration & Automation. You can then monitor the status from the start to the resolution of the case. Data can include artifacts such as IP addresses, file hashes, URLs, user names and machine names. All data is associated with a case.
- Identification and enrichment. Automatic threat intelligence lookups, workflows and menu-driven actions deliver valuable context, reduce time to identify scope and impact, enabling a rapid, decisive response. Trigger sandbox evaluation and build rules to act on the results. Search logs and endpoints and make decisions based on the data.
- Containment, response and recovery. Based on trigger conditions, or based on manual actions, the system can send notifications or initiate external activities to contain and adjust your security posture as a part of your response playbook.
- Communication and coordination. Includes use of custom actions, functions and the REST API to integrate bidirectionally with your environment, including ticketing and service management, smart notifications, communication platforms and other business applications. By integrating beyond the SOC, users can coordinate a fast and effective case resolution from Orchestration & Automation.