circle-info
Welcome to the new Logpoint documentation portal! Can’t find what you’re looking for?
Logpoint Documentationarrow-up-right
search

SOAR Automation overview

Security Orchestration, Automation, and Response (SOAR) automates threat detection, investigation and response processes. It is composed of two different licenses, SOAR Automation Automation and Case Management. Automation provides access to generic playbooks in addition to the ability to create new automated playbooks. Case Management is part of SOAR Automation and gives you the ability to track and manage all SOAR-automation security incidents.

  • Automates manual time consuming or repetitive security tasks. From tasks or processes you do all the time or every day to processes you only need to do once in a while

  • Automates reporting

  • Aggregates data from multiple sources

  • Provides a centralized, auditable record of security for compliance requirements.

hashtag
How SIEM and SOAR Work Together

SOAR seamlessly integrates with Logpoint SIEM to use SIEM-based log events. An event is a single action received from a log source, for example a user login, a firewall alert, or a system change. SIEM adds contextual and domain information, through normalization and enrichment, to the log event.

Logpoint SIEM analyzes log events through alert rules, rules that check events as they occur. When the conditions of the alert rule match the activity of the event, Logpoint SIEM generates an alert because there is an indication of a potential security threat or violation of security policies

When an alert or multiple alerts are generated, an incident correlating to the alert is automatically created in Logpoint SIEM. It is the incident and the alert the incident is based on that links SIEM with SOAR.

When a SIEM incident is created, the automated workflow that detects, investigates and responds to the incident is a SOAR playbook. A playbook is a workflow made up of all the individual actions required to detect, investigate and respond to incidents.

At the same time an incident is created in SIEM a case is created in SOAR. A SOAR case is a sequence of one or more SIEM incidents, from different log sources, that contains all the data about a potential threat scenario and its investigation.

Last updated

Was this helpful?