Threat Hunting • Room 3

SOAR Integration

When a response requires orchestrating actions across many different tools (EDR, Firewall, Ticketing, Active Directory), Adaptive Response alone isn't enough.

Splunk SOAR (Security Orchestration, Automation and Response) executes complex, multi-step playbooks. An analyst can kick off a playbook from ES that automatically detonates a file in a sandbox, queries VirusTotal, disables the AD account, and creates a Jira ticket — all in seconds.

Knowledge Check

Prove your understanding to clear the room (Rewards XP)

❤️❤️❤️

Question 1 of 1

When should a Tier 1 Analyst escalate a Notable Event to a SOAR playbook rather than using a simple Adaptive Response action?

ANever; SOAR is only for the IT Helpdesk.

BWhen the response requires executing a complex, multi-system workflow (like disabling an AD account, blocking a hash across EDR, and creating a ticket).

COnly when the SIEM is turned off.

DFor every single False Positive to auto-close them.