Course Overview
This 3 hour course prepares security practitioners to use SOAR to respond to security incidents, investigate vulnerabilities, and take action to mitigate and prevent security problems.
Course Content
- SOAR concepts
- Investigations
- Running actions and playbooks
- Case management & workflows
Certifications
This course is part of the following Certifications:
Prerequisites
Basic Security operations knowledge.
Outline: Investigating Incidents with Splunk SOAR (IISS)
Topic 1 – Starting Investigations
- SOAR investigation concepts
- ROI view
- Using the Analyst Queue
- Using indicators
- Using search
Topic 2 – Working on Events
- Use the Investigation page to work on events
- Use the heads-up display
- Set event status and other fields
- Use notes and comments
- How SLA affects event workflow
- Using artifacts and files
- Exporting events
- Executing actions and playbooks
- Managing approvals
Topic 3 – Cases: Complex Events
- Use case management for complex investigations
- Use case workflows
- Mark evidence
- Running reports