Administering SOAR (ASOAR)

Module 1 – Introduction, Deployment and Installation

• Describe SOAR operating concepts
• Identify documentation and community resources
• Identify installation and upgrade options
• SOAR & Splunk Architecture
• Splunk/SOAR relationships

Module 2 – Initial Configuration

• Product settings
• Access control
• Authentication settings
• Response settings
• Understanding roles
• Creating users
• Managing user access

Module 3 – Apps, Assets and Playbooks

• Describe how apps and assets work in SOAR
• Add and configure new apps
• Configure assets
• Manage playbooks
• Module 4 –Ingesting Data
• Assets as data sources
• Configuring data polling
• Labels and tags
• Data ingestion management
• Event settings

Module 4 – Ingesting Data

• Assets as data sources
• Configuring data polling
• Labels and tags
• Data ingestion management
• Event settings

Module 5 – Analyst Queue

• Work with the analyst queue
• Filtering and sorting
• Using search
• Container export and import
• Aggregation settings

Module 6 – Investigations

• Use the Investigation page to work on events
• Use indicators to find matching artifacts in multiple events
• Using the heads-up display
• Using notes

Module 7 – Actions, Playbooks and Files

• Manually run actions and examine action results
• Manually run playbooks
• Store related files in events

Module 8 – Case Management and Workbooks

• Use case management for complex investigations
• Use case workflows
• Define new workbooks
• Customize case management

Module 9 – Customization

• Create custom severity levels
• Create custom status levels
• Add custom fields and CEF settings
• Create custom workbooks

Module 10 – Additional Topics

• Run reports
• Use SOAR audit tools
• Monitor system health
• Define clustering best practices
• Configure multi-server SOAR clusters
• Configure multi-tenancy
• Backup/restore