Top 5 Use Cases for Splunk SOAR (Security Orchestration Automation and Response)
Author: Tom Earl
Release Date: 04/11/2025
In today’s threat-laden digital landscape, speed, accuracy and efficiency are everything. Security teams and their analysts are becoming overcome with the sheer volume of alerts, complex toolsets, and an expanding threat surface that they are seeing in the ever evolving realms of cyber security in their SOCs. Enter Splunk SOAR.
So what is SOAR I hear you ask, how can it help me and what use cases can it assist me with?
SOAR is a must in the world of cyber security, it can streamline and supercharge security operations, it does this by automating repetitive tasks, throughout your security stack, accelerating incident responses, freeing up valuable analysts time to focus on other areas.
It seamlessly integrates with a plethora of security tools which monitor and report on items such as Firewall Security, User Accounts and Emails to name a few. Once an incident has been identified, and via the user-friendly Playbook Editor feature, a playbook can be initiated either manually or automatically to run against the incident and act upon it accordingly.
There are literally hundreds of use cases where Splunk SOAR can be used, however we are going to focus on the Top 5 that we most commonly see in use in the current threat landscape.
1. Phishing Email Investigation and Response
Issue - Phishing attacks are extremely common and to the untrained eye can be detrimental to an organisation's security posture. The volume of emails can be substantial and will normally require manual triage and investigation; consuming a large amount of an analysts time.
Solution - Splunk SOAR can conduct the ingestion of suspicious emails, conduct analysis looking for malicious content in URLs, attachments and indicators of compromise. The above can be enriched with data from integrated threat intelligence tools, and an automated response can be carried out making a decision to quarantine the email, block the URL, alert the SOC or user, or a combination of the above; based on the playbook logic.
Result - MTTR and investigation times are drastically reduced and responses are consistent and scalable. The chance of human error is reduced and the valuable analyst's time can then be used elsewhere, such as helping to develop playbooks and investigating other cases.
2. Ransomware Detection and Containment
Issue - A user or group of users have reported that they have logged into their accounts and have been greeted with a message or email with a message similar to “a sensitive file that you are responsible for has been encrypted and to gain access back to it you are to send a payment (usually crypto)“ the message will look to be from a suspicious or unrecognised sender.
Solution - Splunk SOAR can help to detect suspicious behaviour and can be made aware of known ransomware patterns by leveraging information from an integrated SIEM and via the SOAR supported integrations/apps. If configured, automated containment actions such as the isolation of infected endpoints, disablement of compromised accounts and the blocking of Command and Control (C2) traffic. One final but vital element is communication, so all of the above can be sent to stakeholders to notify them that something has occurred and that forensic data collection has been initiated. In this use case enriching data from connectors such as Carbon Black Response, LDAP, Palo Alto Networks Firewall and Cylance will greatly increase the chance of detection but also reduce the time to react and remediate.
Result - Containment and reduced lateral spread of the ransomware will result in increased time investigating the issue and trying to remediate so that the chances of a repeat event happening again is reduced.
3. User Account Compromise Investigation
Issue - Lets assume that a user's account details have been compromised, either by poor security of password and login credentials, substandard passwords due to weak password policies or other nefarious actions carried out by attackers. The problem now is that this account could be locked down by threat actors or even worse data theft, data encryption or financial fraud could be the planned action by the attacker/s.
Solution - Being able to identify and respond to suspicious logins is essential and there are some key notables that can be used to help spot such activities. Splunk can automatically respond to anomalous login events such as impossible travel or logins from anonymity browsers such as TOR. It can correlate the identity of the user with the endpoint and network data, if provided, to assess the risk of it being a suspicious login
With the right connectors/apps being enabled and utilised by Spunk SOAR, such as Azure AD Graph, actions such as account locking or disabling can be carried out. Furthermore, rather than developing your own playbook to carry out the actions, the Azure AD Account locking playbook can be leveraged in this situation, saving both time and money and ensuring that the organisation is kept safe from compromised accounts.
Result - This use case identifies how easy it would be for threat actors to exploit compromised accounts but also how infinitely difficult it can be for them if the correct approach, techniques and playbooks are adopted.
4. Threat Intelligence Enrichment and Correlation
Issue - Security analysts are spending too much time trying to detect and respond to the constantly evolving threats, increasing MTTD and MTTR. This is because they are required to gather threat intelligence by jumping between different security tools to gather context on IOCs and threats.
Solution - So what does Splunk and Splunk SOAR do to help with this? Well they can help by automatically enriching or investigating IPs, domains, file hashes and URLs with the help from VirusTotal, Recorded Future for Splunk SOAR, etc if the required connectors are configured to do so.
SOAR can also score and correlate IOCs across historical logs and incidents, this can then be added as additional enrichment to any case that is being worked on, so that once again MTTR and MTTD timescales can be heavily reduced.
Result - The outcome of this use case is that analysts will be able to provide instant context without having to jump from tool to tool, and just by leveraging what is offered in Splunk SOAR be able to make faster and smarter decisions.
5. Vulnerability Management and Patch Automation
Issue - Staying ahead of the game and by game I mean emerging threats and new vulnerabilities is a constant struggle. Keeping track of what entities are patched correctly, which OS versions are in use and what CVEs you are not yet tracking and responding to is enough to keep any analyst/admin busy way outside of their mandated hours.
Solution - Thankfully once again Splunk SOAR has you covered. It can leverage and integrate with vulnerability scanners such as Qualys and Tenable to provide real time insights to the health and status of your estate. Findings can be prioritised based on severity, exploitability and asset criticality. If configured correctly the community playbooks can highlight to remediation teams and service desks that there are patches due or there are instances and entitles that might be exposed by CVEs. Events such as creating, updating and closing tickets within ticketing suites such as Service Now or Jira can be carried out too, it really is such a powerful and cost efficient solution.
Result - MTTD and MTTR are significantly reduced, there is also a reduced risk of exposure and importantly it greatly frees up the time of the analyst. Leveraging Splunk ARI you will also be able to keep your asset register up to date but also protect them from vulnerabilities and OOD patching.
In Summary
Splunk SOAR covers a whole raft of use cases to suit even the most complex of environments and the most meticulous analysts. Effectively and efficiently reducing manual workloads and facilitating a lower MTTD and MTTR. From Vulnerability Management to Phishing Attacks, Splunk SOAR has your best interests in mind.