Setting up Splunk SIEM

Why does this topic matter?

• This topic matters because more and more organizations and platforms are implementing a SOAR solution streamlines and enhances the efficiency of incident response process via automation of tasks.

How would a security team benefit from implementing a SOAR solution?

• After reading the articles, I can see a verity of benefits a SOAR solution would bring to a security team.
  • The first is that SOAR would ease the workload of the team by automating repetitive and time consuming tasks. The implementation of automation would allow the team to focus on other projects and issues.
  • The second is that SOAR would reduce the teams response time to security incidents via quick identification and containment of threats. This would minimize the potential impact on the organization.
  • Lastly, the SOAR solution allows for scalability, since security incidents have shown to be moving into a more complex stage, the ability to handle a larger number of incidents is paramount.

Explain how a SOAR solution fits into the Incident Response process.

• The SOAR solution fits into various spots for incident response process.
  • SOAR can integrate with SIEM systems to automate detection and identify potential security incidents based on certain rules.
  • This solution can also be used in incident analysis. By automating the process of gathering additional data such as context, threat intelligence feeds, and historical data will lead to a more enriching incident data to analyze.
  • SOAR can also fit into the documentation and reporting portion of incident response process. It can assist in documenting the entire incident response process, very useful for post incident analysis, compliance reports, and improving future strategies.

Things I want to know more about

• I would like to know more about how automation for SOAR works exactly. It would be valuable for me to know more about how to integrate scrips within the SOAR environment, and which programming languages are used.