Use cases

When a significant event occurs, applications connect to the SOAR Platform to escalate incidents from email, SIEMs, ticketing systems, and other sources. They include artifacts such as IP addresses, file hashes, URLs, usernames, and system names.

The App Exchange contains two such apps, SOAR QRadar® integration and SOAR Integration for Splunk.

Automatic threat intelligence lookups, playbooks, or workflows and menu-driven actions deliver valuable context, reduce time to identify scope and impact, and enable a rapid, decisive response. Trigger sandbox evaluation and build playbooks to act on the results. Search logs and endpoints then make decisions based on the data. Include Configuration Management Database (CMDB) and directory information to help analysts make accurate assessment of severity and impact. Pivot on these critical data elements to dynamically adjust the way that your team responds.

Based on trigger conditions, or based on manual actions, the SOAR Platform can send notifications or initiate external activities to contain and adjust your security posture as a part of your response playbook. The Ansible® for Resilient® app is an example of this type of app.

By integrating beyond the SOC, users can coordinate a fast and effective incident resolution from the SOAR Platform. Integrate bi-directionally with ticketing and service management, smart notifications, communication platforms, and other business applications. Email is a good simple example of the communication and coordination aspect. See the description of the Outbound Email for Resilient app.