Splunk SOAR (Security Orchestration, Automation and Response) Features

Diagnose and resolve incidents without the need for human interaction.

Guide users through the resolution process and give specific instructions to remedy individual occurrences.

Cuts off network connection or temporarily inactivate applications until incidents are remedied.

Gathers information related to threats in order to gain further information on remedies.

Analyzes incidents, correlates related events, and determines the scope and impact of attacks.

Clearly notifies users with relevant information and anomalies in a timely manner.

Sets a standard performance baseline by which to compare log activity.

Allows platform to scale to size of desired environment and configured with high availability and disaster recovery capabilities.

Information on each incident is stored in databases for user reference and analytics.

Produces reports detailing trends and vulnerabilities related to their network and infrastructure.

Gives alerts when incidents arise. Some responses may be automated, but users will still be informed.

Ability to track incidents, tasks, evidence, and investigation progress within a structured case.

Administrators can organize workflows to guide remedies to specific situations incident types.

Visually displays connected applications and integrated data. Allows customization and management of workflow structures.

Streamline the flow of work processes by establishing triggers and alerts that notify and route information to the appropriate people when their action is required within the compensation process.

Reduces time spent remedying issues manually. Resolves common network security incidents quickly.

Constantly monitors logs to detect anomalies in real time.

Integrates additional security tools to automate security and incident response processes.

Collects information from multiple sources to cross reference and build contextual to correlate intelligence.

Stores information related to common threats and how to resolve them once incidents occur.

Offer pre-built and custom reporting and dashboards for quick insights into system states.

Allows users to generate text based on a text prompt.

Condenses long documents or text into a brief summary.

Detect and link suspicious activities across systems in real time.

Identify and dismiss non‑threats through intelligent pattern recognition.

Reduce noise by automatically evaluating and prioritizing alerts based on risk and context.

Investigate alerts end‑to‑end, gathering evidence and building incident timelines.

Enrich cases with data from SIEM, EDR, cloud, identity, and threat‑intel feeds.

Create visual maps of threat propagation and lateral movement through networks.

Allow SOC teams to query agents via natural language about ongoing cases.

Improve agent performance through adaptive learning from security team corrections.

Provide human‑readable reasoning trails and decision justifications.

Track and lower MTTD/MTTR/MTTC through autonomous reactions.

Adapt remediation actions without requiring static SOAR playbooks.

Execute predefined or adaptive responses (e.g., isolate endpoints, revoke credentials).